Re: [Samba] profile permissions
On Thu, Aug 22, 2013 at 6:45 AM, Michelangelo Rezzonico < mrezzon...@ticino.com> wrote: > I have a working samba-pdc installation with version 3.0.28 > The "profile" permissions in 3.0.28 (and all the files in this directory) > are as follow: > drwx--x--x 2 user1 ntuser 4096 Aug 22 12:36 profile > > I am installing a new server with samba version 3.6.3 > The "profile" permissions in 3.6.3 (and all the files in this directory) > are as follow: > drwx--x--x+ 2 user1 ntuser 4096 Aug 22 12:36 profile > > The difference is the "+" sign that indicate acl permissions. > How can I correctly migrate the profile from 3.0.28 to 3.6.3 in order that > the permission are set correctly ? > > How about using rsync to mirror the filesystem from source server to dest? John -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Issues with print command group membership
Oh, I should have specified: This is Samba 3.6.13, on FreeBSD 9.1-RELEASE. -John On 8/7/13, John W wrote: > Hi, > > I have a Samba print share set up, with a "print command" specified > that just cats the file to /dev/ulpt0. This share is accessed by the > guest Samba account, which I have set to be the 'smbguest' username. > > I can manually run the print command as root, and the file prints. > I can manually run the print command as 'smbguest' (through sudo) and > the file prints. > > However, when run the command through Samba itself (by printing over > the network from another machine), I get: > > cannot create /dev/ulpt0: Permission denied > > This is the same message I would get if I don't have write permissions > to the device. > The device itself has the following permissions: > > $ ls -l /dev/ulpt* > crw-rw 1 root print0, 142 Aug 5 22:31 /dev/ulpt0 > > The 'smbguest' account is in the 'print' group, as evidenced below: > > $ groups smbguest > smbguest smbguestgroup print > > so it should be able to write to ulpt0. In fact, it can, when the > command is run through sudo -u smbguest ... > > However, when the Samba 'print command' itself is run, the group > membership *only* includes the 'smbguest' group. I altered the print > command to write a log message including the output of `groups`, and > it writes merely 'smbguest', rather than the above three groups. > > Is there a general explanation for this, or is this just some weird > Samba idiosyncrasy? I would expect, since Samba is running the command > as the user 'smbguest', that it would have full group membership, but > all my evidence points to that not being the case. > > Or maybe there is something more fundamental I'm missing? > > I have also tried using 'force group = print', but that does not seem > to have any effect for me. I was following the advice from this post: > http://askubuntu.com/questions/251536/samba-guest-account-not-in-group > > Is it a bug? > Something I don't understand? > > Any help would be appreciated, thanks. > -John > -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Issues with print command group membership
Hi, I have a Samba print share set up, with a "print command" specified that just cats the file to /dev/ulpt0. This share is accessed by the guest Samba account, which I have set to be the 'smbguest' username. I can manually run the print command as root, and the file prints. I can manually run the print command as 'smbguest' (through sudo) and the file prints. However, when run the command through Samba itself (by printing over the network from another machine), I get: cannot create /dev/ulpt0: Permission denied This is the same message I would get if I don't have write permissions to the device. The device itself has the following permissions: $ ls -l /dev/ulpt* crw-rw 1 root print0, 142 Aug 5 22:31 /dev/ulpt0 The 'smbguest' account is in the 'print' group, as evidenced below: $ groups smbguest smbguest smbguestgroup print so it should be able to write to ulpt0. In fact, it can, when the command is run through sudo -u smbguest ... However, when the Samba 'print command' itself is run, the group membership *only* includes the 'smbguest' group. I altered the print command to write a log message including the output of `groups`, and it writes merely 'smbguest', rather than the above three groups. Is there a general explanation for this, or is this just some weird Samba idiosyncrasy? I would expect, since Samba is running the command as the user 'smbguest', that it would have full group membership, but all my evidence points to that not being the case. Or maybe there is something more fundamental I'm missing? I have also tried using 'force group = print', but that does not seem to have any effect for me. I was following the advice from this post: http://askubuntu.com/questions/251536/samba-guest-account-not-in-group Is it a bug? Something I don't understand? Any help would be appreciated, thanks. -John -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Ubuntu as Samba Domain Member
Hi All, I need your help with my problem. I want SAMBA to be the PDC for my Ubuntun workstations. The SAMBA in installed in Ubuntu also the version for the server and workstations are 12.04. I have successfully joined the workstations to the SAMBA server but I can't login to it using the users I created in SAMBA. Can you anybody tell me the steps on how to do this? Do I also need to add the Ubuntu workstations in SAMBA? Regards, John -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Errors in parse_share_modes Testing CTDB 2.3 and Samba 4.0.7
Volker Lendecke wrote on 07/23/2013 02:15:03 AM: > On Mon, Jul 22, 2013 at 03:43:21PM -0500, John P Janosik wrote: > > I'm working on building a CTDB/Samba cluster on AIX 7.1 with the latest > > levels to replace an older one running CTDB 1.0.113 and Samba 3.6.1. I > > have the new servers up and running and they seem to work, but I'm worried > > about some messages in the logs. I run with log level 1 on the servers so > > that the connection details are logged. On the old cluster there were > > only connection/closed connection, and client time-out messages in the > > logs. On the new cluster I see the following messages very often: > > > > > > [2013/07/22 15:09:02.594483, 1, pid=9437314] > > ../librpc/ndr/ndr.c:412(ndr_pull_error) > > ndr_pull_error(11): Pull bytes 4 (../librpc/ndr/ndr_basic.c:148) > > [2013/07/22 15:09:02.594636, 1, pid=9437314] > > locking/share_mode_lock.c:136(parse_share_modes) > > ndr_pull_share_mode_lock failed > > Very likely that's bug 10008. > > Volker > That does appear to be the problem. Can anyone comment on the likelihood of a fix in the next few weeks? I'm trying to decide if I should wait or go with CTDB 2.3/Samba 3.6.16. Thanks, John jpjan...@us.ibm.com -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Errors in parse_share_modes Testing CTDB 2.3 and Samba 4.0.7
I'm working on building a CTDB/Samba cluster on AIX 7.1 with the latest levels to replace an older one running CTDB 1.0.113 and Samba 3.6.1. I have the new servers up and running and they seem to work, but I'm worried about some messages in the logs. I run with log level 1 on the servers so that the connection details are logged. On the old cluster there were only connection/closed connection, and client time-out messages in the logs. On the new cluster I see the following messages very often: [2013/07/22 15:09:02.594483, 1, pid=9437314] ../librpc/ndr/ndr.c:412(ndr_pull_error) ndr_pull_error(11): Pull bytes 4 (../librpc/ndr/ndr_basic.c:148) [2013/07/22 15:09:02.594636, 1, pid=9437314] locking/share_mode_lock.c:136(parse_share_modes) ndr_pull_share_mode_lock failed I would like to know how I can tell if there is some problem with the locking database in CTDB before I go any farther in testing. I upped the log level and I can see that this happens when getting each entry of a directory in dir.c:smbd_dirptr_get_entry() when it calls locking.c:get_file_infos() and eventually tries to parse the locking data. I took a look at the Samba 3.6.1 source and I see that the code that parses the locking data has changed in 4.0.X. I haven't spent enough time yet to understand the code to find the reason for the messages. Can anyone give me some pointers on debugging this? I've upped the log level to 10 and it pointed me down the code path that is getting hit, but doesn't make it clear to me what the problem is. Here are all the messages generated at log level 10 inside the loop over the directory entries: [2013/07/19 12:42:45.724992, 6, pid=4063418, effective(39803, 14161), real(0, 0)] smbd/dir.c:1061(smbd_dirptr_get_entry) smbd_dirptr_get_entry: dirptr 0x2064dc18 now at offset 576 [2013/07/19 12:42:45.725084, 8, pid=4063418, effective(39803, 14161), real(0, 0)] smbd/dosmode.c:632(dos_mode) dos_mode: ./rt_aos4 [2013/07/19 12:42:45.725157, 8, pid=4063418, effective(39803, 14161), real(0, 0)] smbd/dosmode.c:206(dos_mode_from_sbuf) dos_mode_from_sbuf returning d [2013/07/19 12:42:45.725227, 8, pid=4063418, effective(39803, 14161), real(0, 0)] smbd/dosmode.c:683(dos_mode) dos_mode returning d [2013/07/19 12:42:45.725637, 1, pid=4063418, effective(39803, 14161), real(0, 0)] ../librpc/ndr/ndr.c:412(ndr_pull_error) ndr_pull_error(11): Pull bytes 4 (../librpc/ndr/ndr_basic.c:148) [2013/07/19 12:42:45.725722, 1, pid=4063418, effective(39803, 14161), real(0, 0), class=locking] locking/share_mode_lock.c:136(parse_share_modes) ndr_pull_share_mode_lock failed [2013/07/19 12:42:45.725792, 3, pid=4063418, effective(39803, 14161), real(0, 0)] smbd/dir.c:1144(smbd_dirptr_get_entry) smbd_dirptr_get_entry mask=[*] found ./rt_aos4 fname=rt_aos4 (rt_aos4) [2013/07/19 12:42:45.725880, 10, pid=4063418, effective(39803, 14161), real(0, 0)] smbd/trans2.c:1666(smbd_marshall_dir_entry) smbd_marshall_dir_entry: space_remaining = 16232 [2013/07/19 12:42:45.725955, 10, pid=4063418, effective(39803, 14161), real(0, 0)] smbd/trans2.c:1819(smbd_marshall_dir_entry) smbd_marshall_dir_entry: SMB_FIND_FILE_BOTH_DIRECTORY_INFO If anyone would like more configuration details or complete logs I can provide them Thanks, John Janosik jpjan...@us.ibm.com -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Provisioning command line args
Hello, I'm trying to script an installation and can't find the command-line argument to "samba-tool domain provision" to specify the DNS forwarder. I have tried "samba-tool domain provision --help" but I couldn't see such an option there. Does that mean there isn't one ? I also tried to use the "samba-tool --option=option" construct (described on 'man samba-tool') to set the dns forwarder after the provision but I can't work out how to constuct the parameter. I'd appreciate a nudge in the right direction... Thanks, John -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba-tool modify users info?
On Thu, Apr 11, 2013 at 11:58 AM, John Drescher wrote: >> I'm wondering if there's a plan for including the possibility of modifying >> user attributes (must-change-at_next-login, profile-path, home-drive, >> home-directory, etc)? >> > I use ldap-account-manager on my Samba 3.6 / openldap 2.3.43 based > servers with samba domain controllers (PDC + 2 BDCs) and samba domain > member servers. > > https://www.ldap-account-manager.org/lamcms/ Sorry. I misread the question. John -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba-tool modify users info?
> I'm wondering if there's a plan for including the possibility of modifying > user attributes (must-change-at_next-login, profile-path, home-drive, > home-directory, etc)? > I use ldap-account-manager on my Samba 3.6 / openldap 2.3.43 based servers with samba domain controllers (PDC + 2 BDCs) and samba domain member servers. https://www.ldap-account-manager.org/lamcms/ John -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Making Linux and domain users the same
On Sat, Mar 2, 2013 at 4:21 AM, wrote: > I have a set of Linux boxes with (nearly) working Samba configurations. > Windows users can get in and work with shares. My one problem is that the > local user "joe" is not the same as the domain user that logs into Samba. > And that means that users cannot access their own home directories, unless I > relax the Linux permissions. > > This is not surprising, given the way Samba was configured -- but the > question now is "how can I fix it?" I have played with the usermap, but > haven't gotten that to work. And I would prefer not to have to map every > user on every target box; there are a lot of them. It seems likely that > there should be a global solution to this. > > The evidence for the problem is clear. Below is a listing of directory > containing two files: one created under by the local Linux user, and one > created by the same user on a Windows box connecting to the share: > > $ ls -l > total 4 > -rw-r--r-- 1 joeusers3 Mar 2 03:40 File_Created_In_Linux > -rwxrw-rw- 1 joedomain users 3 Mar 1 13:12 File_Created_In_Windows > > $ ls -n > total 4 > -rw-r--r-- 112903 100 3 Mar 2 03:40 File_Created_In_Linux > -rwxrw-rw- 1 16777217 16777216 3 Mar 1 13:12 File_Created_In_Windows > > > And here is the Samba config: > > [global] > workgroup = X > realm = X.com > netbios aliases = X > security = DOMAIN > password server = X > wins server = X > ldap ssl = no > idmap uid = 16777216-33554431 > idmap gid = 16777216-33554431 > template homedir = /usr/acct/%U > template shell = /bin/tcsh > winbind cache time = 5 > winbind use default domain = Yes > create mask = 0777 > directory mask = 0777 > > [myshare] > path = /shares/test > read only = No > > [homes] > read only = No > > > -- > Thanks in advance for any light you might shine on this. Is your /etc/nsswitch.conf setup to use winbind? John -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Strange winbindd messages
Hi Andrew,
Thanks for getting back to me.
On 02/07/2013 04:52 PM, Andrew Bartlett wrote:
On Fri, 2013-02-08 at 08:43 +1100, Andrew Bartlett wrote:
On Wed, 2013-01-23 at 11:59 -0500, John Center wrote:
Hi,
We are running samba v3.6.3 on Ubuntu 12.04 server. This is being used
with FreeRADIUS for wireless authentication with AD. We just logged a
set of messages from winbindd that I don't understand:
Jan 23 10:35:28 as3 winbindd[25371]: [2013/01/23 10:35:28.056846, 0]
rpc_client/cli_netlogon.c:677(rpccli_netlogon_set_trust_password)
Jan 23 10:35:28 as3 winbindd[25371]: dcerpc_netr_ServerPasswordSet{2}
failed: NT code 0xc2a5
Jan 23 10:35:28 as3 winbindd[26636]: [2013/01/23 10:35:28.105143, 0]
rpc_client/cli_netlogon.c:671(rpccli_netlogon_set_trust_password)
Jan 23 10:35:28 as3 winbindd[26636]: credentials chain check failed
Jan 23 10:35:28 as3 winbindd[25518]: [2013/01/23 10:35:28.310288, 0]
rpc_client/cli_netlogon.c:671(rpccli_netlogon_set_trust_password)
Jan 23 10:35:28 as3 winbindd[25518]: credentials chain check failed
Jan 23 10:36:28 as3 winbindd[25371]: [2013/01/23 10:36:28.121861, 0]
rpc_client/cli_netlogon.c:671(rpccli_netlogon_set_trust_password)
Jan 23 10:36:28 as3 winbindd[25371]: credentials chain check failed
Authentications went through ok at 10:35:23 & again at 10:35:29. We
haven't seen them before, & searching, I couldn't find much info. What
do these messages mean? What would have caused them? Do we need to be
concerned? Any help would be greatly appreciated.
What is happening here is that we are trying and failing to change our
machine account password. Can you try Samba 3.6.12 and see if the
changes in the meantime have fixed this?
Can winbindd change the machine account password? This isn't being done
by us manually.
Looking into this some more these links suggest a server-side error:
http://www.tek-tips.com/viewthread.cfm?qid=1487092
http://support.microsoft.com/kb/306091/en-us
Looking at these links, are you suggesting that the DC database is being
locked at this point in time, so when an auth request is being made, it
fails?
Is there anything in the server event log to match this error?
I'm trying to get access to the DC event logs to look into this.
Thanks.
-John
--
John Center
Villanova University
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Strange winbindd messages
Any help? -John
On 01/23/2013 11:59 AM, John Center wrote:
Hi,
We are running samba v3.6.3 on Ubuntu 12.04 server. This is being used
with FreeRADIUS for wireless authentication with AD. We just logged a
set of messages from winbindd that I don't understand:
Jan 23 10:35:28 as3 winbindd[25371]: [2013/01/23 10:35:28.056846, 0]
rpc_client/cli_netlogon.c:677(rpccli_netlogon_set_trust_password)
Jan 23 10:35:28 as3 winbindd[25371]: dcerpc_netr_ServerPasswordSet{2}
failed: NT code 0xc2a5
Jan 23 10:35:28 as3 winbindd[26636]: [2013/01/23 10:35:28.105143, 0]
rpc_client/cli_netlogon.c:671(rpccli_netlogon_set_trust_password)
Jan 23 10:35:28 as3 winbindd[26636]: credentials chain check failed
Jan 23 10:35:28 as3 winbindd[25518]: [2013/01/23 10:35:28.310288, 0]
rpc_client/cli_netlogon.c:671(rpccli_netlogon_set_trust_password)
Jan 23 10:35:28 as3 winbindd[25518]: credentials chain check failed
Jan 23 10:36:28 as3 winbindd[25371]: [2013/01/23 10:36:28.121861, 0]
rpc_client/cli_netlogon.c:671(rpccli_netlogon_set_trust_password)
Jan 23 10:36:28 as3 winbindd[25371]: credentials chain check failed
Authentications went through ok at 10:35:23 & again at 10:35:29. We
haven't seen them before, & searching, I couldn't find much info. What
do these messages mean? What would have caused them? Do we need to be
concerned? Any help would be greatly appreciated.
Thanks.
-John
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
[Samba] Samba4 domain controller ntlm_auth error - No logon servers (0xc000005e)
Hi, Formerly, I was successfully to use Samba 3.0.28a + FreeRADIUS 1.1.7 for Wi-Fi PEAP authentication against Windows 2003 AD. Now, I would like to replace Windows AD with Samba4. I build Samba4 successfully from source on Ubuntu 12.04.1 and the Samba4 domain controller seems function normally, e.g. able to work with the Samba4 domain with RSAT and edit the group policy. However, when I used Samba 3.0.28a as client and used ntlm_auth command to authenticate Samba4 domain users :- >ntlm_auth --request-nt-key --domain=dom1 --username=john --password=secret When I entered the correct password, ntlm_auth returned an error "NT_STATUS_NO_LOGON_SERVERS: No logon servers (0xc05e)" instead of OK. When I deliberately entered a wrong password, it returned the wrong password error correctly. I hope someone could advise what went wrong. Is Samba4 domain mature enough and could replace the Windows AD for ntlm_auth authentication ? Thanks a lot. John Mok = Sunciti Manufacturers Ltd. Direct: +852 27976403 Mobile (HK): +852 51000643 Mobile (CN): +86 15012500643 Facsmile: +852 22601701 -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] gid collision
Hi A bit more than 24 hours later the group 'python\none' re-appeared. wbinfo told me this about 'domain users' and 'python\none': root@python:/var/run/samba# wbinfo -n 'PYTHON\none' S-1-5-21-1142660729-3645412750-287447673-513 SID_DOM_GROUP (2) This SID does not exist in AD. root@python:/var/run/samba# wbinfo -n 'domain users' S-1-5-21-3399354374-3828377523-3974166524-513 SID_DOM_GROUP (2) This SID exists in AD. Both SIDs are found in /var/run/samba/gencache.tdb. How is gencache.tdb generated? What happens if I try to erase this key in gencache.tdb? key 59 bytes IDMAP/SID2GID/S-1-5-21-1142660729-3645412750-287447673-513 data 16 bytes [000] 20 20 31 33 36 30 30 34 35 39 37 33 2F 2D 31 00136004 5973/-1 Thanks for any hints and pointers! Best regards Philipp > Hi > > I switched in nsswitch.conf > > group: files winbind > to > group: winbind files > > and rebooted the box. PYTHON\none has dissapeared. getent group > 'python\none' and wbinfo --group-info='python\none' haven't got any > results anymore. > > It feels quite strange that by changing name resolution order behaviour > like that dissapears. Is this a bug? > > Thanks, > Philipp > > >> Hi >> >> Setup is samba 3.6.3 on ubuntu 12.04.1, domain member server in a >> Win2008R2 DC environment. Userauth is via kerberos. >> >> I have a gid collision I cannot find an answer for. Please see below. >> >> root@python:/home/DOMAIN/users# ls -la >> drwxr-x--- 4 user1 PYTHON\none 136 Dez 7 09:42 user1 >> drwxr-x--- 2 user2 PYTHON\none6 Jan 30 11:01 user2 >> drwxr-x--- 2 user3 PYTHON\none6 Jan 30 11:13 user3 >> >> root@python:/home/DOMAIN/users# getent group 'domain users' >> domain users:x:100513: >> root@python:/home/DOMAIN/users# getent group 'python\none' >> PYTHON\none:x:100513: >> >> neither wbinfo -g nor getent group list any group named python\none. >> >> Has anybody got an explanation for python\none or how I get rid of it? >> >> Thanks >> Philipp >> >> >> >> smb.conf: >> >> [global] >> workgroup = DOMAIN >> server string = Fileserver Samba Version %v >> netbios name = python >> security = ADS >> realm = DOMAIN.LOCAL >> kerberos method = secrets only >> winbind enum users = yes >> winbind enum groups = yes >> winbind nss info = template >> winbind use default domain = yes >> winbind refresh tickets = true >> winbind nested groups = yes >> idmap config *:backend = rid >> idmap config *:range = 10-1 >> idmap config *:base_rid = 0 >> template shell = /usr/bin/nologin >> template homedir = /home/%D/users/%U >> obey pam restrictions = yes >> allow trusted domains = no >> client use spnego = yes >> client signing = auto >> preferred master = no >> load printers = no >> dos charset = 850 >> unix charset = UTF-8 >> display charset = UTF-8 >> socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 >> IPTOS_LOWDELAY SO_KEEPALIVE >> log file = /var/log/samba/log.%m >> log level = 3 >> max log size = 5 >> >> >> -- >> To unsubscribe from this list go to the following URL and read the >> instructions: https://lists.samba.org/mailman/options/samba >> > > > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba > -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] gid collision
Hi I switched in nsswitch.conf group: files winbind to group: winbind files and rebooted the box. PYTHON\none has dissapeared. getent group 'python\none' and wbinfo --group-info='python\none' haven't got any results anymore. It feels quite strange that by changing name resolution order behaviour like that dissapears. Is this a bug? Thanks, Philipp > Hi > > Setup is samba 3.6.3 on ubuntu 12.04.1, domain member server in a > Win2008R2 DC environment. Userauth is via kerberos. > > I have a gid collision I cannot find an answer for. Please see below. > > root@python:/home/DOMAIN/users# ls -la > drwxr-x--- 4 user1 PYTHON\none 136 Dez 7 09:42 user1 > drwxr-x--- 2 user2 PYTHON\none6 Jan 30 11:01 user2 > drwxr-x--- 2 user3 PYTHON\none6 Jan 30 11:13 user3 > > root@python:/home/DOMAIN/users# getent group 'domain users' > domain users:x:100513: > root@python:/home/DOMAIN/users# getent group 'python\none' > PYTHON\none:x:100513: > > neither wbinfo -g nor getent group list any group named python\none. > > Has anybody got an explanation for python\none or how I get rid of it? > > Thanks > Philipp > > > > smb.conf: > > [global] > workgroup = DOMAIN > server string = Fileserver Samba Version %v > netbios name = python > security = ADS > realm = DOMAIN.LOCAL > kerberos method = secrets only > winbind enum users = yes > winbind enum groups = yes > winbind nss info = template > winbind use default domain = yes > winbind refresh tickets = true > winbind nested groups = yes > idmap config *:backend = rid > idmap config *:range = 10-1 > idmap config *:base_rid = 0 > template shell = /usr/bin/nologin > template homedir = /home/%D/users/%U > obey pam restrictions = yes > allow trusted domains = no > client use spnego = yes > client signing = auto > preferred master = no > load printers = no > dos charset = 850 > unix charset = UTF-8 > display charset = UTF-8 > socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 > IPTOS_LOWDELAY SO_KEEPALIVE > log file = /var/log/samba/log.%m > log level = 3 > max log size = 5 > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba > -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] winbind not returning uid/gid
Really sorry to re-post but it looks like my thread has been buried and had no responses. I am using samba3.6 winbind to connect a RHEL5.8 linux box to a new Windows Server 2012 Active Directory which has Unix Identity Mapping installed. So I have all the uidNumber/gidNumber stuff in the windows schema. I am able to log in but I am not getting the right uid/gid. My AD uids start at around 800. Apparently the ID mapping has changed again in samba 3.6. https://wiki.samba.org/index.php/Samba_3.6_Features_added/changed#ID_Mapping_Changes Looks like it's getting the proper shell and gid but not getting the proper uid. Its just getting a number starting at 800 instead of the actual number. [2013/02/01 00:51:38.469672, 1] ../librpc/ndr/ndr.c:284(ndr_print_function_debug) wbint_QueryUser: struct wbint_QueryUser out: struct wbint_QueryUser info : * info: struct wbint_userinfo acct_name: * acct_name: 'test15' full_name: * full_name: 'test15' homedir : * homedir : '/home/test15' shell: * shell: '/bin/csh' primary_gid : 0x032a (810) user_sid : S-1-5-21-1876082661-3791542598-1067495821-2113 group_sid: S-1-5-21-1876082661-3791542598-1067495821-513 result : NT_STATUS_OK [2013/02/01 00:51:38.470144, 10] winbindd/wb_sid2uid.c:56(wb_sid2uid_send) idmap_cache_find_sid2uid found 800 [2013/02/01 00:51:38.470217, 10] winbindd/wb_sid2gid.c:57(wb_sid2gid_send) idmap_cache_find_sid2gid found 800 [2013/02/01 00:51:38.470293, 10] winbindd/winbindd.c:678(wb_request_done) wb_request_done[15762:GETPWUID]: NT_STATUS_OK [2013/02/01 00:51:38.470475, 10] winbindd/winbindd.c:739(winbind_client_response_written) winbind_client_response_written[15762:GETPWUID]: delivered response to Not even returning the proper gid (810) from the log above: -bash-3.2$ id uid=800(test15) gid=800(ops) groups=800(ops) Does my smb.conf file look correct? I'm not too familiar with configuring it. [global] workgroup = mycompany password server = pekdc01.mycompany.net realm = MYCOMPANY.NET security = domain winbind nss info = rfc2307 #idmap config * : backend = ad #THIS PREVENTS WINBIND FROM CONNECTING idmap config * : range = 800-90 idmap config * : schema_mode = rfc2307 template shell = /bin/bash winbind use default domain = true winbind offline logon = false rpm version: root at test:~ · 04:02 AM Thu Jan 31 · !548 # rpm -qa | grep samba samba3x-common-3.6.6-0.129.el5 samba3x-client-3.6.6-0.129.el5 samba3x-winbind-3.6.6-0.129.el5 -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] gid collision
Hi Setup is samba 3.6.3 on ubuntu 12.04.1, domain member server in a Win2008R2 DC environment. Userauth is via kerberos. I have a gid collision I cannot find an answer for. Please see below. root@python:/home/DOMAIN/users# ls -la drwxr-x--- 4 user1 PYTHON\none 136 Dez 7 09:42 user1 drwxr-x--- 2 user2 PYTHON\none6 Jan 30 11:01 user2 drwxr-x--- 2 user3 PYTHON\none6 Jan 30 11:13 user3 root@python:/home/DOMAIN/users# getent group 'domain users' domain users:x:100513: root@python:/home/DOMAIN/users# getent group 'python\none' PYTHON\none:x:100513: neither wbinfo -g nor getent group list any group named python\none. Has anybody got an explanation for python\none or how I get rid of it? Thanks Philipp smb.conf: [global] workgroup = DOMAIN server string = Fileserver Samba Version %v netbios name = python security = ADS realm = DOMAIN.LOCAL kerberos method = secrets only winbind enum users = yes winbind enum groups = yes winbind nss info = template winbind use default domain = yes winbind refresh tickets = true winbind nested groups = yes idmap config *:backend = rid idmap config *:range = 10-1 idmap config *:base_rid = 0 template shell = /usr/bin/nologin template homedir = /home/%D/users/%U obey pam restrictions = yes allow trusted domains = no client use spnego = yes client signing = auto preferred master = no load printers = no dos charset = 850 unix charset = UTF-8 display charset = UTF-8 socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 IPTOS_LOWDELAY SO_KEEPALIVE log file = /var/log/samba/log.%m log level = 3 max log size = 5 -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] migrating samba shares to a netapp filer?
I agree completely. robocopy is the best solution here. Why try to make your life more complicated? On Jan 31, 2013, at 10:29 AM, Wolfgang Ratzka wrote: > Am 31.01.2013 16:43, schrieb Luca Olivetti: >> Al 31/01/13 16:09, En/na John P Arends ha escrit: >>> If I were you I'd connect to both shares using a Windows machine and run >>> robocopy to copy all the permissions. >> >> I thought about that but I'd prefer a Linux solution (if possible). >> > > There is a lack of standardization in ACLs on the Linux/Unix side > (fine grained ACLs beyound User/Group/World). > AFAIK XFS does have Posix ACLs (which never left draft status) and NetApp > might be able to do NFSv4 ACLs on volumes with NTFS security > exported via NFSv4 (not sure about that). > > If your ACLs follow a simple pattern (user and group directories with > fairly uniform access rights) you might just recreate the ACLs from > scratch, otherwise robocopy does a fairly good job in translating > the ACLs. > > Kind Regards > Wolfgang Ratzka > > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] uid/gid not being used when logging into RHEL -> Windows Server 2012 Active Directory
update: Looks like it's getting the proper shell and gid but not getting the proper uid. Its just getting a number starting at 800 instead of the actual number. Also when I output via wbinfo it is incorrect [2013/02/01 00:51:38.469672, 1] ../librpc/ndr/ndr.c:284(ndr_print_function_debug) wbint_QueryUser: struct wbint_QueryUser out: struct wbint_QueryUser info : * info: struct wbint_userinfo acct_name: * acct_name: 'test14' full_name: * full_name: 'test14' homedir : * homedir : '/home/test14' shell: * shell: '/bin/csh' primary_gid : 0x032a (810) user_sid : S-1-5-21-1876082661-3791542598-1067495821-2113 group_sid: S-1-5-21-1876082661-3791542598-1067495821-513 result : NT_STATUS_OK [2013/02/01 00:51:38.470144, 10] winbindd/wb_sid2uid.c:56(wb_sid2uid_send) idmap_cache_find_sid2uid found 800 [2013/02/01 00:51:38.470217, 10] winbindd/wb_sid2gid.c:57(wb_sid2gid_send) idmap_cache_find_sid2gid found 800 [2013/02/01 00:51:38.470293, 10] winbindd/winbindd.c:678(wb_request_done) wb_request_done[15762:GETPWUID]: NT_STATUS_OK [2013/02/01 00:51:38.470475, 10] winbindd/winbindd.c:739(winbind_client_response_written) winbind_client_response_written[15762:GETPWUID]: delivered response to client [2013/02/01 00:51:38.470698, 10] winbindd/winbindd.c:616(process_request) process_request: Handling async request 6544:GETPWUID root@test:~ · 01:08 AM Fri Feb 01 · !842 # wbinfo -i test14 test14:*:800:800:test14:/home/test14:/bin/bash [global] workgroup = mycompany password server = pekdc01.mycompany.net realm = MYCOMPANY.NET security = domain winbind nss info = rfc2307 #idmap config * : backend = ad #THIS PREVENTS WINBIND FROM CONNECTING idmap config * : range = 800-90 idmap config * : schema_mode = rfc2307 template shell = /bin/bash winbind use default domain = true winbind offline logon = false HELP- pulling my hair out over this! Thanks -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] migrating samba shares to a netapp filer?
If I were you I'd connect to both shares using a Windows machine and run robocopy to copy all the permissions. On Jan 31, 2013, at 4:58 AM, Luca Olivetti wrote: > Hello, > I'll soon have to migrate our samba shares to a netapp filer (not my > decision). > Currently the shares are on an xfs filesystem and served by samba 3.5.2, > which is also the domain controller (a role that it will maintain, only > the shares are being transferred) and sama/unix users are in ldap. The > filer is in the domain and uses ldap to map user ids and that seems to work. > Samba maps the unix permissions and xfs ACLs to windows ACLs, but the > filer isn't as smart: the share can be in ntfs mode or in unix mode > (there's also a mixed mode but I'd avoid that). > > To copy the data I nfs mount the netapp and use rsync. > For that to work I have to use unix mode on the filed (with ntfs mode > the netapp doesn't allow nfs clients to modify file ownership and > permissions) but while that works and I like the fact that I can use > rsync not only for the initial migration, but also for making backups in > the future, that means I lose the ACLs and it's ugly as seen on a > windows client (since the netapp shows unix permissions in an ugly way). > > I tried a cifs mount against a ntfs style netapp share, but that didn't > correctly map the users and permissions when I rsync'ed the files. > > Is there a better way to copy the data, possibly using ntfs style > permissions on the filer and not precluding the use of rsync in the future? > > I've read about robocopy but I'm not really sure it's a good option. > > TIA > -- > Luca Olivetti > Wetron Automation Technology http://www.wetron.es > Tel. +34 935883004 Fax +34 935883007 > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] gid collision with non-existing group
Dear all I've come across quite a strange behaviour I have not been able to debug. The setup is Samba 3.6.3 on Ubuntu 12.04.01 LTS as domain member of a Win2008R2 DC. User Auth is via Kerberos. The windows group 'domain members' has GID 513 in the windows world and is mapped on my Ubuntu Box to 100513. However, unfortunatley another group has the same GID. The group is called PYTHON\none, while PYTHON is the hostname. Running wbinfo -g or getent group or the net commands do not reveal any group called PYTHON\none. However, I see this group when I list the user homes (ls -la). Obviously, it's due to the GID collision. Can anybody tell me where that group PYTHON\none is coming from, what it is and how to get rid of it? Thanks Philipp -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] uid/gid not being used when logging into RHEL -> Windows Server 2012 Active Directory
I am using samba/winbind to connect a RHEL5.8 linux box to a new Windows Server box which has Unix Identity Mapping installed. So I have all the uidNumber/gidNumber stuff in the windows schema. I am able to login but I am not getting the right uid/gid. My AD uids start at around 800. FYI I am new to winbind. Apparently the ID mapping has changed again in samba 3.6 but I'm not really understanding. https://wiki.samba.org/index.php/Samba_3.6_Features_added/changed#ID_Mapping_Changes root@test:~ · 03:55 AM Thu Jan 31 · !546 # su - test9 su: warning: cannot change directory to /home/test9: No such file or directory -bash-3.2$ id uid=16777224(test9) gid=16777216(domain users) groups=16777216(domain users) -bash-3.2$ exit uid should be in the 8xx range. Not 1677224... Some info: smb.cnf: [global] workgroup = MYCOMPANY password server = pekdc01.mycompany.net realm = MYCOMPANY.NET security = domain idmap uid = 800-33554431 idmap gid = 16777216-33554431 idmap config MYCOMPANY: backend = ad template homedir = /home/%U template shell = /bin/bash winbind use default domain = true winbind offline logon = true idmap config MYCOMPANY : schema_mode = rfc2307 root@test:~ · 04:02 AM Thu Jan 31 · !548 # rpm -qa | grep samba samba3x-common-3.6.6-0.129.el5 samba3x-client-3.6.6-0.129.el5 samba3x-winbind-3.6.6-0.129.el5 -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] require_membership_of is ignored
I want to make sure if someone also gets local console access somehow they still can't get in. That's my concern with just making changes to how sshd authenticates. (I know nearly nothing about PAM.) On Jan 24, 2013, at 4:21 PM, "Philipoff, Andrew" wrote: > John, > > When you say that you can log on as any AD user, do you mean using SSH? On > our systems I use "pam_succeed_if.so user ingroup" in our /etc/pam.d/sshd > files, see below: > > auth include system-auth > accountrequired pam_nologin.so > #accountinclude system-auth > accountsufficient pam_succeed_if.so user ingroup local_admin_group > accountsufficient pam_succeed_if.so user ingroup active_directory_group > password include system-auth > sessionoptional pam_keyinit.so force revoke > sessioninclude system-auth > sessionrequired pam_loginuid.so > > Note that I comment out "account include system-auth " and add a local admin > group so as not to lock out local users. > > Andrew > > -Original Message- > From: samba-boun...@lists.samba.org [mailto:samba-boun...@lists.samba.org] On > Behalf Of John P Arends > Sent: Thursday, January 24, 2013 1:45 PM > To: samba@lists.samba.org > Subject: [Samba] require_membership_of is ignored > > I have a RHEL 6.3 machine successfully bound to AD using winbind, and > commands like wbinfo -u and wbinfo -g output the users and groups. I can also > log in as any AD user. > > The problem is, I can log on as any AD user. > > require_membership_of is being ignored. I can put in a valid group with no > spaces in the name, a group by SID, and either way, everyone can log in. > > I've put this option in both /etc/pam.d/system-auth and > /etc/security/pam_winbind.conf and any user can log in. > > Any suggestions, or advice on how I can better troubleshoot this? I'm not > seeing anything in the logs that is helpful, but I may not be looking in the > right place. > > I've asked a few other people who have told me "oh, that never works" but I > can't imagine that is the case. > > Running 3.5.10-125.el6 by the way.. > > Thanks > > -John > > John Arends > Senior Systems Engineer > School of Communication > Northwestern University > 847-491-5789 > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba > -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] require_membership_of is ignored
I have a RHEL 6.3 machine successfully bound to AD using winbind, and commands like wbinfo -u and wbinfo -g output the users and groups. I can also log in as any AD user. The problem is, I can log on as any AD user. require_membership_of is being ignored. I can put in a valid group with no spaces in the name, a group by SID, and either way, everyone can log in. I've put this option in both /etc/pam.d/system-auth and /etc/security/pam_winbind.conf and any user can log in. Any suggestions, or advice on how I can better troubleshoot this? I'm not seeing anything in the logs that is helpful, but I may not be looking in the right place. I've asked a few other people who have told me "oh, that never works" but I can't imagine that is the case. Running 3.5.10-125.el6 by the way.. Thanks -John John Arends Senior Systems Engineer School of Communication Northwestern University 847-491-5789 -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Strange winbindd messages
Hi,
We are running samba v3.6.3 on Ubuntu 12.04 server. This is being used
with FreeRADIUS for wireless authentication with AD. We just logged a
set of messages from winbindd that I don't understand:
Jan 23 10:35:28 as3 winbindd[25371]: [2013/01/23 10:35:28.056846, 0]
rpc_client/cli_netlogon.c:677(rpccli_netlogon_set_trust_password)
Jan 23 10:35:28 as3 winbindd[25371]: dcerpc_netr_ServerPasswordSet{2}
failed: NT code 0xc2a5
Jan 23 10:35:28 as3 winbindd[26636]: [2013/01/23 10:35:28.105143, 0]
rpc_client/cli_netlogon.c:671(rpccli_netlogon_set_trust_password)
Jan 23 10:35:28 as3 winbindd[26636]: credentials chain check failed
Jan 23 10:35:28 as3 winbindd[25518]: [2013/01/23 10:35:28.310288, 0]
rpc_client/cli_netlogon.c:671(rpccli_netlogon_set_trust_password)
Jan 23 10:35:28 as3 winbindd[25518]: credentials chain check failed
Jan 23 10:36:28 as3 winbindd[25371]: [2013/01/23 10:36:28.121861, 0]
rpc_client/cli_netlogon.c:671(rpccli_netlogon_set_trust_password)
Jan 23 10:36:28 as3 winbindd[25371]: credentials chain check failed
Authentications went through ok at 10:35:23 & again at 10:35:29. We
haven't seen them before, & searching, I couldn't find much info. What
do these messages mean? What would have caused them? Do we need to be
concerned? Any help would be greatly appreciated.
Thanks.
-John
--
John Center
Villanova University
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
[Samba] Role of "password server" statement
Hi, Using Samba 3.6.3 on Ubuntu 12.04. I'm trying to understand how the "password server" statement works with winbind. I thought if you don't use the default "*" value, but instead created a list of DCs, it would only use a DC from that list. But, we have seen winbind connect to a DC that is not listed in the password server statement, but is listed in DNS: root@as1:~# host -t srv _ldap._tcp.vuad.villanova.edu _ldap._tcp.vuad.villanova.edu has SRV record 0 100 389 ken-vuaddc2.vuad.villanova.edu. _ldap._tcp.vuad.villanova.edu has SRV record 0 100 389 MEN-VUADDC4.vuad.villanova.edu. _ldap._tcp.vuad.villanova.edu has SRV record 0 100 389 MEN-VUADDC5.vuad.villanova.edu. _ldap._tcp.vuad.villanova.edu has SRV record 0 100 389 KEN-VUADDC1.vuad.villanova.edu. _ldap._tcp.vuad.villanova.edu has SRV record 0 100 389 men-vuaddc1.vuad.villanova.edu. We created an smb.conf that had the following DCs listed: password server = ken-vuaddc1.villanova.edu men-vuaddc4.villanova.edu men-vuaddc1.villanova.edu men-vuaddc5.villanova.edu But, at one point, winbindd had a connection to ken-vuaddc2.vuad.villanova.edu. We specifically did not want to connect to this DC because of the load on it. Why would this occur? Is there any way to control this without changing the priority or weight on the SRV record? Thanks. -John -- John Center Villanova University -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] unable to access shares on Windows 98 machine
I have installed Ubuntu 12.04.1 LTS on a new laptop. Everything seems great, except... I have this old Windows 98 machine that I treat as a server (no remarks, please). I've had it for a long time. When I access the shares from the Ubuntu 12.0.4 machine, a lot of files and directories that I know are there do not show up. I've tried just browsing to the shares in nautilus, places -> networks -> Windows Network, pick the machine, pick the share. I've also used the following command line to mount the share: sudo mount -t cifs //192.168.0.14/D /mnt/server_d -o user=john,servern=SERVER,sec=lanman Same results either way. After six months of searching for answers on the internet, all I found are two clues. If I connect to the share using "smbclient \\server\d", then type "dir", some of the files listed are missing the first letter of the name. Also, I found a bug listed on launchpad: "2.6.31 - Can't see files in CIFS-mounted directories", which describes a similar problem. From that I learned that if I use the "noserverino" option to mount, I can see all the files. I also have to use dir_mode and file_mode to get the modes right, though. Finally, I dragged out an older laptop that has Ubuntu 10.04.4 LTS on it. It works just fine. Nautilus finds the share, allows me to edit files, everything. Also, I fired up my old Windows XP machine. I don't see any problems with accessing a share on that, so it seems like the problem is between Ubuntu 12.04.1 and Windows 98. Samba on the 12.04 machine is version 3.6.3. Samba on the 10.04 machine is version 3.4.7. Any ideas? Is there some way to tell samba "when you talk to the windows 98 machine, he's old and cranky, so you have to talk like this for him to understand"? thanks in advance, John -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Move from roaming to local profiles
> Thanks for the fast reply. That looks like exactly what I was looking for. I > am about to test that with a few windows 7 machines I have. What would be the > best way to automate the folder redirection, if that is even possible. I > thought about just adding the directives to the users netlogon.bat but I am > not sure that will move the data automatically. Windows 7 has the same option in Control Panel\All Control Panel Items\System then click Advanced system settings then user profiles. John -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] difference between version 3.x and version 4
> I want to make clear that, aside from changes like the removal of > depreciated features like 'security=server' and 'security=share', > essentially all the features of Samba 3.x are in Samba 4.0. We call the > NT4-like domains that Samba 3.x supported 'classic' domains, and they > continue to be supported by smbd/nmbd. Likewise, the domain membership > code is handled in the same way, and remains fully supported. > > Samba 4.0 is our new production release. Interesting, I did not know that would still be supported. I will have to test using the classic domains PDC + BDCs with samba4 servers. John -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Fwd: Samba 4 / DNS
-- Forwarded message -- From: John Drescher Date: Wed, Dec 12, 2012 at 4:51 AM Subject: Re: [Samba] Samba 4 / DNS To: Thomas Simmons > If you have multi-homed systems, why can't you specify multiple DNS servers > on the workstations (one from the "public" network and the AD server on the > "private" network). Of course this assumes your using a domain name that the > first DNS server can't resolve. I believe the problem with that is that if the first DNS server returns that the address is not found the windows dns client does not try other DNS servers. Also, when you say "My samba 3 servers are > not permitted to be connected to the company network/internet", does this > mean directly connected? You could configure ICS (NAT) on one of the W7 > systems and have your S4 server forward all requests to the DNS server on > the primary network. This is how I'm currently running my S4 test setup to > keep it segregated from my main network which is controlled by an S3 PDC. That would not work either. Basically my non approved linux boxes are not permitted to have any connection to the Internet. NAT or proxy is certainly out. John -- John M. Drescher -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba 4 / DNS
> The only other thing I can think of off hand is running a minimal DNS > implementation on each client that forwards to either Samba or your > company's DNS servers depending on the domain. As a programmer, I have thought about this option. John -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba 4 / DNS
> Samba doesn't require internet connectivity, but yes, you will have to > work out how to ensure that the desktops can both resolve the name of > the AD DC and names elsewhere on the network. This would seem to be a > challenge in your setup, but perhaps you can have another dual-homed box > running BIND, with a forwarder pointing to Samba4, and otherwise > forwarding to the rest of the world. Then your dual-homed boxes could > use that as their DNS server. > Thanks. That confirmed what I thought. I would not be permitted to have the DNS server so that would prevent me from this. John -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Samba 4 / DNS
Is there any way to have Samba 4 / AD servers not connected to the internet and still have DNS working on the windows clients? My samba 3 servers are not permitted to be connected to the company network / internet so I have 2 nics in each desktop. 1 connecting to the private gigabit network where my samba 3 servers exist. The other connects to the company + internet. -- John M. Drescher -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Problem loading login.bat on a windows 7 machine
On 1 windows 7 workstation in my work samba 3 domain roaming profiles
are not loading. The problem seems to be a failure in loading the
login.bat
Samba version 3.5.19
PID Username Group Machine
---
8078 jdrescher Domain Users radimgws70 (192.168.2.157)
Service pid machine Connected at
---
IPC$ 8199 datastore2Tue Nov 27 12:29:05 2012
IPC$ 8180 datastore1Tue Nov 27 12:28:07 2012
IPC$ 8229 radimgws68Tue Nov 27 12:31:10 2012
netlogon 8078 radimgws70Tue Nov 27 12:22:26 2012
Locked files:
Pid UidDenyMode Access R/WOplock
SharePath Name Time
--
8078 1000 DENY_WRITE 0xa1RDONLY NONE
/home/netlogon login.bat Tue Nov 27 12:22:26 2012
[2012/11/27 12:24:02.704884, 3] smbd/sec_ctx.c:310(set_sec_ctx)
setting sec ctx (1000, 513) - sec_ctx_stack_ndx = 0
[2012/11/27 12:24:02.705305, 3] smbd/vfs.c:881(check_reduced_name)
check_reduced_name
[login.bat.34308300201211260203NT7TT.{10E39A49-4531-4496-A08E-842D4C440D20}]
[/home/netlogon]
[2012/11/27 12:24:02.705338, 3] smbd/vfs.c:1038(check_reduced_name)
check_reduced_name:
login.bat.34308300201211260203NT7TT.{10E39A49-4531-4496-A08E-842D4C440D20}
reduced to
/home/netlogon/login.bat.34308300201211260203NT7TT.{10E39A49-4531-4496-A08E-842D4C440D20}
[2012/11/27 12:24:02.705362, 3] smbd/dosmode.c:166(unix_mode)
unix_mode(login.bat.34308300201211260203NT7TT.{10E39A49-4531-4496-A08E-842D4C440D20})
returning 0744
[2012/11/27 12:24:02.705381, 3] smbd/error.c:80(error_packet_set)
error packet at smbd/error.c(160) cmd=162 (SMBntcreateX)
NT_STATUS_OBJECT_NAME_NOT_FOUND
[2012/11/27 12:24:14.064825, 3] smbd/process.c:1489(process_smb)
For me an interesting thing from the above output is
login.bat.34308300201211260203NT7TT.{10E39A49-4531-4496-A08E-842D4C440D20}
why is it trying to append
.34308300201211260203NT7TT.{10E39A49-4531-4496-A08E-842D4C440D20}
to the filename? Or am I reading this wrong?
--
John M. Drescher
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
[Samba] Fwd: window 7 loses connection to Samba 3.5.19
-- Forwarded message -- From: Gerardo Ramos Date: Fri, Nov 23, 2012 at 2:37 PM Subject: Re: [Samba] window 7 loses connection to Samba 3.5.19 To: John Drescher John I have a samba server update 3.5.19 on Centos 5, users connect to the shared drive without problems, when they are working at any moment lose connection to the shared drive, ensuring that the user log I see the following: read_data: read failure for 4 bytes to client error = Connection timed out This arose when agrege users with windows 7, and the loss of connection is random. Regards, Gerardo 2012/11/23 John Drescher > > On Thu, Nov 22, 2012 at 11:19 AM, Gerardo Ramos > wrote: > > Dear Samba list, > > > > I have probem with windows 7 loses connection to Samba version 3.5.19 > > > > regards > > I think you will have to give more information. I can tell you that > this does not happen for me at work on any if the samba servers I have > updated to 3.5.19. > > John -- John M. Drescher -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] window 7 loses connection to Samba 3.5.19
On Thu, Nov 22, 2012 at 11:19 AM, Gerardo Ramos wrote: > Dear Samba list, > > I have probem with windows 7 loses connection to Samba version 3.5.19 > > regards I think you will have to give more information. I can tell you that this does not happen for me at work on any if the samba servers I have updated to 3.5.19. John -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Using SAMBA in Red Hat Enterprise Linux 6
I enjoyed the GUI interface once used with Red Hat Enterprise Linux 5 but apparently with Red Hat Enterprise Linux 6, the interface has changed. What SAMBA GUI manager do you recommend that is the most simple to use. I have a small network, thus I just need to share Red Hat files with some windows clients. Do you suggest, Samba Web Administration Tool (SWAT)? Where can I download SWAT if this is what you recommend? A million thanks in advance, John Information Systems Security Manager Science Applications International Corporation (SAIC) 3745 Pentagon Blvd Beavercreek, Ohio 45431 BlackBerry 937-405-3749 Office (937)-431-4311 Pager 1-877-302-2933 or 8773022...@skytel.com -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] A device attached to the system is not functioning(samba 3.6.3 + OpenLDAP)
> Today's morning I got "*Domain not available*" on all windows xp > machines(domain logon working only for users with cached profiles) > I tried to rejoin machine to domain, but when I try to join, error "*A > device attached to the system is not functioning*" occurs > Here is error log when I tried to join http://pastebin.com/MCHKMjmL > "*Re-using invalid record*" looks suspicious, but I don't understand how its > related to my problem. > I'm using samba 3.6.3 with OpenLDAP > > My samba config: http://pastebin.com/BKLVBeWv > > Also, I done absolutely nothing to server before error happens(just reboot 2 > days ago) A lot of times I see errors like this to be a browsing problem where the client does not know the ipaddress of the server. Does your client have a wins address in its config? John -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] mount.cifs: regular freezes with s3fs
> through user login, freeze (twice) and user logout until the login prompt > returned: > https://dl.dropbox.com/u/45150875/cifs-freeze2 > When I click the above link I get: We can't find the page you're looking for. Check out our Help Center and forums for help, or head back to home. John -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Added samba users do not appear, but maybe appear as groups.
Hi I am a long term samba user and this is my first real problem. Installation on Centos 5.8 originally Samba 3.033 It was on a server that had been crashing so about 8mths ago we put in a new motherboard and the system seemed to be running OK, but we have not been adding users or machines. More recently the users wanted a new windows 7 machine and it would not let us add the machine (The machine account does not exist) We realized that we needed a later version of Samba and updated to Samba 3.5.17 (now 3.5.18) The problem would not go away. It seems that when we attempt to add a user account or a machine account, to the smbpasswd file, it adds it to the file but not to the user list when we do a wbinfo --domain-users This means though we can add users to linux we can not add Samba users or machine accounts. I use webmin, this shows the users have not been added but if I look in the samba groups they are listed. They are not listed if I do a wbinfo --domain-groups Can anyone shed a light of a fix for this as it is looking like a complete server replacement, that is install on another machine and migrate. John -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Custom SAMBA4/OpenChage ZEG applicance
Or could be reverse lookup is not working... root@sogo:~# nslookup sogo Server: 172.16.1.7 Address:172.16.1.7#53 Name: sogo.example.com Address: 172.16.1.7 root@sogo:~# nslookup 172.16.1.7 Server: 172.16.1.7 Address:172.16.1.7#53 ** server can't find 7.1.16.172.in-addr.arpa: SERVFAIL On Sat, Oct 6, 2012 at 10:22 PM, John Russell wrote: > Finally got DNS partially working, the following tests were successful: > host -t SRV _ldap._tcp.example.com. > host -t SRV _kerberos._udp.example.com. > host -t A sogo.example.com. > > Still can not join any windows clients (XP or 7) to the EXAMPLE.COMdomain. > Tried provisioning SAMBA with both --dns-backend=BIND9_DLZ and then > --dns-backend=SAMBA_INTERNAL but both return "update failed: REFUSED" > > So DNS now seems to be having permission problems? > > Attached are outputs from "samba_dnsupdate --verbose --all-names" and the > subsequent "tail /var/log/syslog". Any ideas? > > > On Fri, Sep 21, 2012 at 4:30 AM, John Russell wrote: > >> Thought for sure this was a real bug, but you are correct Mr. Bartlett, >> thats just how the SMB protocol works. I verified this with another >> wireshark capture from the same XP machine and a working SAMBA4 appliance >> from Sernet. This second capture also reveals that bind9 is still having >> issues on the SOGo appliance. The host machine registers itself into the >> DNS zone, but will not add client machines when they try to join the >> domain. How do I use the internal DNS service with SAMBA4? >> >> >> On Fri, Sep 21, 2012 at 2:24 AM, Andrew Bartlett wrote: >> >>> On Sat, 2012-09-15 at 11:02 -0400, John Russell wrote: >>> > Ran wireshark on the XP client while joining the domain and saw SAM >>> LOGON >>> > request from client and SAM Active Directory Response - user unknown. >>> > >>> > I noticed on the request and the response packets the user name field >>> in >>> > the packet is blank (yes, I am typing the user name and password into >>> the >>> > prompt from the XP machine!). >>> > >>> > Any ideas on what causes this? >>> >>> While an odd feature of the protocol, this is actually a normal >>> successful response to the expected packet. (Essentially, this is a >>> historical oddity from a time when asking if a server knew about a user >>> over an un-authenticated UDP packet wasn't considered a >>> security/confidentially issue). >>> >>> -- >>> Andrew Bartlett >>> http://samba.org/~abartlet/ >>> Authentication Developer, Samba Team http://samba.org >>> >>> >>> >> >> >> -- >> "It's better to be boldly decisive and risk being wrong than to agonize >> at length and be right too late." >> Marilyn Moats Kennedy >> > > > > -- > "It's better to be boldly decisive and risk being wrong than to agonize at > length and be right too late." > Marilyn Moats Kennedy > -- "It's better to be boldly decisive and risk being wrong than to agonize at length and be right too late." Marilyn Moats Kennedy -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Custom SAMBA4/OpenChage ZEG applicance
Finally got DNS partially working, the following tests were successful: host -t SRV _ldap._tcp.example.com. host -t SRV _kerberos._udp.example.com. host -t A sogo.example.com. Still can not join any windows clients (XP or 7) to the EXAMPLE.COM domain. Tried provisioning SAMBA with both --dns-backend=BIND9_DLZ and then --dns-backend=SAMBA_INTERNAL but both return "update failed: REFUSED" So DNS now seems to be having permission problems? Attached are outputs from "samba_dnsupdate --verbose --all-names" and the subsequent "tail /var/log/syslog". Any ideas? On Fri, Sep 21, 2012 at 4:30 AM, John Russell wrote: > Thought for sure this was a real bug, but you are correct Mr. Bartlett, > thats just how the SMB protocol works. I verified this with another > wireshark capture from the same XP machine and a working SAMBA4 appliance > from Sernet. This second capture also reveals that bind9 is still having > issues on the SOGo appliance. The host machine registers itself into the > DNS zone, but will not add client machines when they try to join the > domain. How do I use the internal DNS service with SAMBA4? > > > On Fri, Sep 21, 2012 at 2:24 AM, Andrew Bartlett wrote: > >> On Sat, 2012-09-15 at 11:02 -0400, John Russell wrote: >> > Ran wireshark on the XP client while joining the domain and saw SAM >> LOGON >> > request from client and SAM Active Directory Response - user unknown. >> > >> > I noticed on the request and the response packets the user name field in >> > the packet is blank (yes, I am typing the user name and password into >> the >> > prompt from the XP machine!). >> > >> > Any ideas on what causes this? >> >> While an odd feature of the protocol, this is actually a normal >> successful response to the expected packet. (Essentially, this is a >> historical oddity from a time when asking if a server knew about a user >> over an un-authenticated UDP packet wasn't considered a >> security/confidentially issue). >> >> -- >> Andrew Bartlett >> http://samba.org/~abartlet/ >> Authentication Developer, Samba Team http://samba.org >> >> >> > > > -- > "It's better to be boldly decisive and risk being wrong than to agonize at > length and be right too late." > Marilyn Moats Kennedy > -- "It's better to be boldly decisive and risk being wrong than to agonize at length and be right too late." Marilyn Moats Kennedy root@sogo:~# samba_dnsupdate --verbose --all-names IPs: ['fe80::a00:27ff:fef2:b592%eth0', '172.16.1.7'] Calling nsupdate for A example.com 172.16.1.7 Outgoing update query: ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0 ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0 ;; UPDATE SECTION: example.com.900 IN A 172.16.1.7 update failed: REFUSED Failed nsupdate: 2 Calling nsupdate for A sogo.example.com 172.16.1.7 Outgoing update query: ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0 ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0 ;; UPDATE SECTION: sogo.example.com. 900 IN A 172.16.1.7 update failed: REFUSED Failed nsupdate: 2 Calling nsupdate for A gc._msdcs.example.com 172.16.1.7 Outgoing update query: ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0 ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0 ;; UPDATE SECTION: gc._msdcs.example.com. 900 IN A 172.16.1.7 update failed: REFUSED Failed nsupdate: 2 Calling nsupdate for CNAME a6b5369c-1f1d-457e-813a-dcef9ec89f8b._msdcs.example.com sogo.example.com Outgoing update query: ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0 ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0 ;; UPDATE SECTION: a6b5369c-1f1d-457e-813a-dcef9ec89f8b._msdcs.example.com. 900 IN CNAME sogo.example.com. update failed: REFUSED Failed nsupdate: 2 Calling nsupdate for SRV _kpasswd._tcp.example.com sogo.example.com 464 Outgoing update query: ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0 ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0 ;; UPDATE SECTION: _kpasswd._tcp.example.com. 900 IN SRV 0 100 464 sogo.example.com. update failed: REFUSED Failed nsupdate: 2 Calling nsupdate for SRV _kpasswd._udp.example.com sogo.example.com 464 Outgoing update query: ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0 ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0 ;; UPDATE SECTION: _kpasswd._udp.example.com. 900 IN SRV 0 100 464 sogo.example.com. update failed: REFUSED Failed nsupdate: 2 Calling nsupdate for SRV _kerberos._tcp.example.com sogo.example.com 88 Outgoing update query: ;; ->>HEADER<
Re: [Samba] Custom SAMBA4/OpenChage ZEG applicance
Thought for sure this was a real bug, but you are correct Mr. Bartlett, thats just how the SMB protocol works. I verified this with another wireshark capture from the same XP machine and a working SAMBA4 appliance from Sernet. This second capture also reveals that bind9 is still having issues on the SOGo appliance. The host machine registers itself into the DNS zone, but will not add client machines when they try to join the domain. How do I use the internal DNS service with SAMBA4? On Fri, Sep 21, 2012 at 2:24 AM, Andrew Bartlett wrote: > On Sat, 2012-09-15 at 11:02 -0400, John Russell wrote: > > Ran wireshark on the XP client while joining the domain and saw SAM LOGON > > request from client and SAM Active Directory Response - user unknown. > > > > I noticed on the request and the response packets the user name field in > > the packet is blank (yes, I am typing the user name and password into the > > prompt from the XP machine!). > > > > Any ideas on what causes this? > > While an odd feature of the protocol, this is actually a normal > successful response to the expected packet. (Essentially, this is a > historical oddity from a time when asking if a server knew about a user > over an un-authenticated UDP packet wasn't considered a > security/confidentially issue). > > -- > Andrew Bartletthttp://samba.org/~abartlet/ > Authentication Developer, Samba Team http://samba.org > > > -- "It's better to be boldly decisive and risk being wrong than to agonize at length and be right too late." Marilyn Moats Kennedy -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Windows 8 Pro no domain logon possible
On Thu, Sep 20, 2012 at 9:47 AM, TAKAHASHI Motonobu wrote: > Daniel Müller wrote on 20.09.2012 12:50:30: >> By the way, the only success to join a windows 8 pro to a domain was to >> set up samba4 ads and join it successfully. >> I did not succeed in any way else. > > In my environment, Windows 8 Pro (32bit), can join to Samba 3.5.6 domain. > I modified registries: > HKLM\System\CCS\Services\LanmanWorkstation\Parameters > DWORD DomainCompatibilityMode = 1 > DWORD DNSNameResolutionRequired = 0 > > You can download Samba environment I examined at > http://wiki.samba.gr.jp/mediawiki/index.php?title=Samba_PDC_VM(squeeze) > > Of course I examined that after rebooting some domain accounts can logon > into Samba domain on Windows 8 box. This is good to know for me since I do not believe samba 4 will ever be an option for me since I am not permitted to connect my linux servers to the company internet. My current domain has the linux servers connected to a second private network and each client has 2 nics. John -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Custom SAMBA4/OpenChage ZEG applicance
Ran wireshark on the XP client while joining the domain and saw SAM LOGON
request from client and SAM Active Directory Response - user unknown.
I noticed on the request and the response packets the user name field in
the packet is blank (yes, I am typing the user name and password into the
prompt from the XP machine!).
Any ideas on what causes this? I disabled the windows firewall on the XP
machine as well just to eliminate that as a possibility. On this post (
http://lists.samba.org/archive/samba-technical/2011-February/076323.html)
they have a similar problem but they appear to have already successfully
joined the domain.
On Sat, Sep 15, 2012 at 1:06 AM, John Russell wrote:
> Was able to fix one problem with kinit not working. Added the following
> lines to /etc/krb5.conf:
> [realms]
> EXAMPLE.COM = {
> kdc = sogo
> admin_server = sogo
> default_domain = EXAMPLE.COM
> }
>
> [domain_realm]
> .example.com = EXAMPLE.COM
> example.com = EXAMPLE.COM
> This gave me the following output when running kinit s...@example.com
> Kerberos: AS-REQ s...@example.com from ipv4:172.16.1.20:59784 for krbtgt/
> example@example.com
> Kerberos: Client sent patypes: REQ-ENC-PA-REP
> Kerberos: Looking for PK-INIT(ietf) pa-data -- s...@example.com
> Kerberos: Looking for PK-INIT(win2k) pa-data -- s...@example.com
> Kerberos: Looking for ENC-TS pa-data -- s...@example.com
> Kerberos: Need to use PA-ENC-TIMESTAMP/PA-PK-AS-REQ
> Kerberos: AS-REQ s...@example.com from ipv4:172.16.1.20:50248 for krbtgt/
> example@example.com
> Kerberos: Client sent patypes: ENC-TS, REQ-ENC-PA-REP
> Kerberos: Looking for PK-INIT(ietf) pa-data -- s...@example.com
> Kerberos: Looking for PK-INIT(win2k) pa-data -- s...@example.com
> Kerberos: Looking for ENC-TS pa-data -- s...@example.com
> Kerberos: ENC-TS Pre-authentication succeeded -- s...@example.com using
> arcfour-hmac-md5
> Kerberos: ENC-TS pre-authentication succeeded -- s...@example.com
> Kerberos: AS-REQ authtime: 2012-09-15T01:02:47 starttime: unset endtime:
> 2012-09-15T11:02:47 renew till: 2012-09-16T01:02:43
> Kerberos: Client supported enctypes: aes256-cts-hmac-sha1-96,
> aes128-cts-hmac-sha1-96, des3-cbc-sha1, arcfour-hmac-md5, using
> arcfour-hmac-md5/arcfour-hmac-md5
> Kerberos: Requested flags: renewable-ok
>
> samba_dnsupdate still fails as mentioned before and I still can not join
> an XP client to the domain.
>
>
>
> On Fri, Sep 14, 2012 at 3:54 PM, John Russell wrote:
>
>> Changing direction yet again. I decided do some testing with the latest *SOGo
>> ZEG v2.0.0 rc5 appliance.*
>>
>> Since this is supposed to be a turnkey package with SAMBA4, OpenChange
>> and SOGo all somewhat working together I figured i'd give it a shot.
>>
>> Started up the appliance and try to join an XP client to the "EXAMPLE"
>> domain... FAILED: The error was: "DNS name does not exist." (error code
>> 0x232B RCODE_NAME_ERROR)
>> Try to join an XP client to the "OPENCHANGE" domain... FAILED: The error
>> was: "Network path was not found". The DNS lookup partially worked buttail
>> /var/log/samba/log.sambashowed:
>> RuntimeError: kinit for SOGO$@EXAMPLE.COM failed (Cannot contact any KDC
>> for requested realm)
>> Basically samba_dnsupdate fails with the following output.
>> Traceback (most recent call last):
>> File "/usr/sbin/samba_dnsupdate", line 485, in
>> get_credentials(lp)
>> File "/usr/sbin/samba_dnsupdate", line 120, in get_credentials
>> creds.get_named_ccache(lp, ccachename)
>> RuntimeError: kinit for SOGO$@EXAMPLE.COM failed (Cannot contact any KDC
>> for requested realm)
>>
>> This is the same problem found here
>> http://thread.gmane.org/gmane.comp.groupware.sogo.user/11358
>>
>> At this point I know I have a KRB/KDC related issue and possibly DNS is
>> not running properly. kinit isnt installed and Bind9 isnt configured
>> with'--with-dlopen=yes'.
>> Here is the output of
>> /usr/sbin/named -V:
>> BIND 9.8.1-P1 built with '--prefix=/usr' '--mandir=/usr/share/man'
>> '--infodir=/usr/share/info' '--sysconfdir=/etc/bind' '--localstatedir=/var'
>> '--enable-threads' '--enable-largefile' '--with-libtool' '--enable-shared'
>> '--enable-static' '--with-openssl=/usr' '--with-gssapi=/usr'
>> '--with-gnu-ld' '--with-geoip=/usr' '--enable-ipv6'
>> 'CFLAGS=-fno-strict-aliasing -DDIG_SIGCHASE -O2'
>> 'LDFLA
Re: [Samba] Custom SAMBA4/OpenChage ZEG applicance
Was able to fix one problem with kinit not working. Added the following
lines to /etc/krb5.conf:
[realms]
EXAMPLE.COM = {
kdc = sogo
admin_server = sogo
default_domain = EXAMPLE.COM
}
[domain_realm]
.example.com = EXAMPLE.COM
example.com = EXAMPLE.COM
This gave me the following output when running kinit s...@example.com
Kerberos: AS-REQ s...@example.com from ipv4:172.16.1.20:59784 for krbtgt/
example@example.com
Kerberos: Client sent patypes: REQ-ENC-PA-REP
Kerberos: Looking for PK-INIT(ietf) pa-data -- s...@example.com
Kerberos: Looking for PK-INIT(win2k) pa-data -- s...@example.com
Kerberos: Looking for ENC-TS pa-data -- s...@example.com
Kerberos: Need to use PA-ENC-TIMESTAMP/PA-PK-AS-REQ
Kerberos: AS-REQ s...@example.com from ipv4:172.16.1.20:50248 for krbtgt/
example@example.com
Kerberos: Client sent patypes: ENC-TS, REQ-ENC-PA-REP
Kerberos: Looking for PK-INIT(ietf) pa-data -- s...@example.com
Kerberos: Looking for PK-INIT(win2k) pa-data -- s...@example.com
Kerberos: Looking for ENC-TS pa-data -- s...@example.com
Kerberos: ENC-TS Pre-authentication succeeded -- s...@example.com using
arcfour-hmac-md5
Kerberos: ENC-TS pre-authentication succeeded -- s...@example.com
Kerberos: AS-REQ authtime: 2012-09-15T01:02:47 starttime: unset endtime:
2012-09-15T11:02:47 renew till: 2012-09-16T01:02:43
Kerberos: Client supported enctypes: aes256-cts-hmac-sha1-96,
aes128-cts-hmac-sha1-96, des3-cbc-sha1, arcfour-hmac-md5, using
arcfour-hmac-md5/arcfour-hmac-md5
Kerberos: Requested flags: renewable-ok
samba_dnsupdate still fails as mentioned before and I still can not join an
XP client to the domain.
On Fri, Sep 14, 2012 at 3:54 PM, John Russell wrote:
> Changing direction yet again. I decided do some testing with the latest *SOGo
> ZEG v2.0.0 rc5 appliance.*
>
> Since this is supposed to be a turnkey package with SAMBA4, OpenChange and
> SOGo all somewhat working together I figured i'd give it a shot.
>
> Started up the appliance and try to join an XP client to the "EXAMPLE"
> domain... FAILED: The error was: "DNS name does not exist." (error code
> 0x232B RCODE_NAME_ERROR)
> Try to join an XP client to the "OPENCHANGE" domain... FAILED: The error
> was: "Network path was not found". The DNS lookup partially worked buttail
> /var/log/samba/log.sambashowed:
> RuntimeError: kinit for SOGO$@EXAMPLE.COM failed (Cannot contact any KDC
> for requested realm)
> Basically samba_dnsupdate fails with the following output.
> Traceback (most recent call last):
> File "/usr/sbin/samba_dnsupdate", line 485, in
> get_credentials(lp)
> File "/usr/sbin/samba_dnsupdate", line 120, in get_credentials
> creds.get_named_ccache(lp, ccachename)
> RuntimeError: kinit for SOGO$@EXAMPLE.COM failed (Cannot contact any KDC
> for requested realm)
>
> This is the same problem found here
> http://thread.gmane.org/gmane.comp.groupware.sogo.user/11358
>
> At this point I know I have a KRB/KDC related issue and possibly DNS is
> not running properly. kinit isnt installed and Bind9 isnt configured
> with'--with-dlopen=yes'.
> Here is the output of
> /usr/sbin/named -V:
> BIND 9.8.1-P1 built with '--prefix=/usr' '--mandir=/usr/share/man'
> '--infodir=/usr/share/info' '--sysconfdir=/etc/bind' '--localstatedir=/var'
> '--enable-threads' '--enable-largefile' '--with-libtool' '--enable-shared'
> '--enable-static' '--with-openssl=/usr' '--with-gssapi=/usr'
> '--with-gnu-ld' '--with-geoip=/usr' '--enable-ipv6'
> 'CFLAGS=-fno-strict-aliasing -DDIG_SIGCHASE -O2'
> 'LDFLAGS=-Wl,-Bsymbolic-functions -Wl,-z,relro'
> 'CPPFLAGS=-D_FORTIFY_SOURCE=2'
> using OpenSSL version: OpenSSL 1.0.1 14 Mar 2012
> using libxml2 version: 2.7.8
>
> From here:
> I installed krb5-user dpkg-dev libkrb5-dev libssl-dev libgeoip-dev
> Recompiled bind9 with the '--with-dlopen=yes' option
> Re-provisioned samba4 with domain EXAMPLE and realm EXAMPLE.COM
> Added tkey-gssapi-keytab "/var/lib/samba/private/dns.keytab"; to
> /etc/bind/named.conf.options
> Copied /var/lib/samba/private/krb5.conf to /etc/krb5.conf
> Modified /etc/hosts so that "sogo.example.comsogo" uses interface
> IP instead of loopback.
> Restarted bind and samba
>
> And still get the same error. Any ideas? Just trying to add a windows
> client to the domain at this point. Thanks
>
>
>
> On Tue, Apr 17, 2012 at 1:20 PM, John Russell wrote:
>
>> Question following HowTo build your own OpenChange/SOGo appliance:
>> I have been building
Re: [Samba] Custom SAMBA4/OpenChage ZEG applicance
Changing direction yet again. I decided do some testing with the latest *SOGo ZEG v2.0.0 rc5 appliance.* Since this is supposed to be a turnkey package with SAMBA4, OpenChange and SOGo all somewhat working together I figured i'd give it a shot. Started up the appliance and try to join an XP client to the "EXAMPLE" domain... FAILED: The error was: "DNS name does not exist." (error code 0x232B RCODE_NAME_ERROR) Try to join an XP client to the "OPENCHANGE" domain... FAILED: The error was: "Network path was not found". The DNS lookup partially worked but tail /var/log/samba/log.samba showed: RuntimeError: kinit for SOGO$@EXAMPLE.COM failed (Cannot contact any KDC for requested realm) Basically samba_dnsupdate fails with the following output. Traceback (most recent call last): File "/usr/sbin/samba_dnsupdate", line 485, in get_credentials(lp) File "/usr/sbin/samba_dnsupdate", line 120, in get_credentials creds.get_named_ccache(lp, ccachename) RuntimeError: kinit for SOGO$@EXAMPLE.COM failed (Cannot contact any KDC for requested realm) This is the same problem found here http://thread.gmane.org/gmane.comp.groupware.sogo.user/11358 At this point I know I have a KRB/KDC related issue and possibly DNS is not running properly. kinit isnt installed and Bind9 isnt configured with'--with-dlopen=yes'. Here is the output of /usr/sbin/named -V: BIND 9.8.1-P1 built with '--prefix=/usr' '--mandir=/usr/share/man' '--infodir=/usr/share/info' '--sysconfdir=/etc/bind' '--localstatedir=/var' '--enable-threads' '--enable-largefile' '--with-libtool' '--enable-shared' '--enable-static' '--with-openssl=/usr' '--with-gssapi=/usr' '--with-gnu-ld' '--with-geoip=/usr' '--enable-ipv6' 'CFLAGS=-fno-strict-aliasing -DDIG_SIGCHASE -O2' 'LDFLAGS=-Wl,-Bsymbolic-functions -Wl,-z,relro' 'CPPFLAGS=-D_FORTIFY_SOURCE=2' using OpenSSL version: OpenSSL 1.0.1 14 Mar 2012 using libxml2 version: 2.7.8 >From here: I installed krb5-user dpkg-dev libkrb5-dev libssl-dev libgeoip-dev Recompiled bind9 with the '--with-dlopen=yes' option Re-provisioned samba4 with domain EXAMPLE and realm EXAMPLE.COM Added tkey-gssapi-keytab "/var/lib/samba/private/dns.keytab"; to /etc/bind/named.conf.options Copied /var/lib/samba/private/krb5.conf to /etc/krb5.conf Modified /etc/hosts so that "sogo.example.comsogo" uses interface IP instead of loopback. Restarted bind and samba And still get the same error. Any ideas? Just trying to add a windows client to the domain at this point. Thanks On Tue, Apr 17, 2012 at 1:20 PM, John Russell wrote: > Question following HowTo build your own OpenChange/SOGo appliance: > I have been building my own SAMBA4/OpenChange appliance *MOSTLY*following the > instructions at > http://tracker.openchange.org/projects/openchange/wiki/HowTo_build_your_own_OpenChangeSOGo_appliance > . > > I am using Ubuntu-Server 12.04 LTS (Precise Pangolin) > precise-server-amd64.iso > OpenChange from svn co -r 3923 > https://svn.openchange.org/openchange/branches/sogo > SAMBA4 - Samba-4.0.0Alpha18 > > At the step titled "Configure DNS service" > # cd /etc/bind > # mkdir samba > # cp /usr/local/samba/private/named.* samba/ > # cp –rfi /usr/local/samba/private/dns samba/ > > my named.* files are actually in "/usr/local/samba/share/setup/" (no big > deal) > logically I would assume my dns files would be in > "/usr/local/samba/share/setup/dns" but no cookie :( > > Find reveals: > find / -name "dns" > /openchange/sogo/samba4/lib/dnspython/dns > /openchange/sogo/samba4/libcli/dns > /openchange/sogo/samba4/bin/default/libcli/dns > /openchange/sogo/samba4/bin/default/source4/dsdb/dns > /openchange/sogo/samba4/source4/selftest/provisions/alpha13/private/dns > /openchange/sogo/samba4/source4/dsdb/dns > /usr/share/pyshared/dns > /usr/lib/python2.7/dist-packages/dns > /usr/src/linux-headers-3.2.0-23-generic/include/config/ceph/lib/use/dns > /usr/src/linux-headers-3.2.0-23-generic/include/config/dns > > Does anyone know the correct dns file or directory to copy to the bind > directory? > > Thanks > -- "It's better to be boldly decisive and risk being wrong than to agonize at length and be right too late." Marilyn Moats Kennedy -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Custom SAMBA4/OpenChage ZEG applicance
Decided to change distributions and use Debian, but now I'm having early issues. I am using Debian 6.0.5 Squeeze OpenChange from svn co -r 4145 https://svn.openchange.org/openchange/branches/sogo SAMBA4 - SAMBA-4.0.0BETA5 First I had to modify the "installsamba4.sh" file and remove any references to "--disable-tdb2" That will allow "make samba" to run successfully. Next I run: ./autogen.sh && ./configure --prefix=/usr/local/samba No issues here but when I run "make" I get the following error several minutes into the compiling process: Linking sample application bin/libmapixx-test /usr/local/samba/lib/private/libkrb5-samba4.so.26: undefined reference to `rep_strerror_r@SAMBA_4.0.0BETA5' collect2: ld returned 1 exit status make: *** [bin/libmapixx-test] Error 1 I have a feeling it has something to do with a reference in a script to the SAMBA version, but the wrong ascii character is being used for quotes. Notice `rep_strerror_r@SAMBA_4.0.0BETA5' better written as char(96) rep_strerror_r@SAMBA_4.0.0BETA5char(39). Let me know if I am even in the ballpark with this one or if anyone else has run into this issue. Thanks On Tue, Apr 17, 2012 at 1:20 PM, John Russell wrote: > Question following HowTo build your own OpenChange/SOGo appliance: > I have been building my own SAMBA4/OpenChange appliance *MOSTLY*following the > instructions at > http://tracker.openchange.org/projects/openchange/wiki/HowTo_build_your_own_OpenChangeSOGo_appliance > . > > I am using Ubuntu-Server 12.04 LTS (Precise Pangolin) > precise-server-amd64.iso > OpenChange from svn co -r 3923 > https://svn.openchange.org/openchange/branches/sogo > SAMBA4 - Samba-4.0.0Alpha18 > > At the step titled "Configure DNS service" > # cd /etc/bind > # mkdir samba > # cp /usr/local/samba/private/named.* samba/ > # cp –rfi /usr/local/samba/private/dns samba/ > > my named.* files are actually in "/usr/local/samba/share/setup/" (no big > deal) > logically I would assume my dns files would be in > "/usr/local/samba/share/setup/dns" but no cookie :( > > Find reveals: > find / -name "dns" > /openchange/sogo/samba4/lib/dnspython/dns > /openchange/sogo/samba4/libcli/dns > /openchange/sogo/samba4/bin/default/libcli/dns > /openchange/sogo/samba4/bin/default/source4/dsdb/dns > /openchange/sogo/samba4/source4/selftest/provisions/alpha13/private/dns > /openchange/sogo/samba4/source4/dsdb/dns > /usr/share/pyshared/dns > /usr/lib/python2.7/dist-packages/dns > /usr/src/linux-headers-3.2.0-23-generic/include/config/ceph/lib/use/dns > /usr/src/linux-headers-3.2.0-23-generic/include/config/dns > > Does anyone know the correct dns file or directory to copy to the bind > directory? > > Thanks > -- "It's better to be boldly decisive and risk being wrong than to agonize at length and be right too late." Marilyn Moats Kennedy -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] NT_STATUS_LOGON_FAILURE configuring samba with ads and no winbind
On 09/05/2012 08:33 PM, Nitin Thakur wrote: > > I cant figure this out reached to the end of internet. > > i want to configure samba to work with ADS but no winbind. I am able > to do kinit and then net ads join. But every time I try to access the > share i get prompted for uid and passwd and then authentication > failure. when i look at the logs, server is able to find password > server but cant find my ID in AD which exists... I always end up with > this error. > > > Get_Pwnam_internals didn't find user [xxx]! [2012/09/05 > 14:32:59.750611, 1] > auth/user_krb5.c:162(get_user_from_kerberos_info) Username XXX\xxx is > invalid on this system [2012/09/05 14:32:59.750782, 3] > smbd/error.c:81(error_packet_set) error packet at > smbd/sesssetup.c(359) cmd=115 (SMBsesssetupX) > NT_STATUS_LOGON_FAILURE > > > any pointers? > > thanks > > Nitin > Nitin, You must have a good reason for wanting to avoid use of winbind. Please share with us your concerns. What is your understanding as to how this should work? - John T. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba PDC: Admin tools?
On Sat, Aug 25, 2012 at 4:34 PM, Alberto Moreno wrote: > Guys. > > I have use smbldap-tools to handle my accounts for my PDC with > samba+openldap. > > Now, I ask here because a lot of people have PDC running on their > networks, what tools do u use to manage your openldap db for samba: > users, machines, groups? > > Working with Centos 6.x. > > Any input will be appreciated, thanks!!! > I use ldap account manager to manage my users / machines / group accounts. John -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba rejecting Machine account auth requests
> I have a samba domain with over 100 machines in it. For some reason every > 30-35 > days, 2 of the machines fail the trust relationship at login and need to be > removed from the domain and rejoined. > > In the logs I see the following: > > [2012/08/21 07:55:52.981302, 0] > rpc_server/netlogon/srv_netlog_nt.c:976(_netr_ServerAuthenticate3) > _netr_ServerAuthenticate3: netlogon_creds_server_check failed. Rejecting > auth request from client RED-TEAM machine account RED-TEAM$ > > I am running samba 3.6.6 on a Centos-5 machine. > > Does anyone have any suggestions on what could cause this or how to > troubleshoot this problem? > I believe the problem is caused when the machine changes the password and no user is logged in at that time. To avoid this issue I have disabled the machines from changing their passwords via the registry. John -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Making Happy Users ... I need to understand...
On Sat, Aug 11, 2012 at 5:16 AM, Marco Ciampa wrote: > If OT someone could please point me to the right mailing list? > This is the correct mailing list. It's just that people do not always have time to offer free advice. John -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba 3.3.4 - Win7 Latency with MS Office files
Ok, thanks for that detail on winbind usage. Oddly my testing of the problem might have pinpointed the issue to be the fact that the Win7 is running on iMacs, YES! AND there might be a driver related latency with the network card. Networking via the wireless card shows faster results. Someone decided to buy a bunch of iMacs and run Windows on them and this is when we began seeing the issue. I will see. With regards to a possible LDAP user retrieval issue I cannot see this changing if one went from WinXP > Win7 on the client but the Samba > LDAP mechanism has not changed at the server level where Samba is running. -john At 3:09 PM -0400 8/9/12, Gaiseric Vandal wrote: name service works at unix level- it caches user and group looks (e.g. results of "getent passwd" and "getent group.") So that could include winbind if nsswitch.conf includes winbind. On solaris, it is defined as follows. bash-3.00# svcs -a | grep name disabled Jul_18 svc:/system/name-service-cache:default Actual executable is nscd (same as linux.) A DC normally doesn't need winbind since the samba users map directly to local unix accounts. However, the delay could be in the ldap user retrieval. I don't use nameservice cache myself because I found that group changes did not come into effect quick enough. On 08/09/12 14:14, John Goubeaux wrote: Thanks for the ideas ! Does enabling nameservice cacheing mean starting winbindd ? Wondering what the implications of having this running on a network with an actual Win DC running as well are ? Meaning this is a "standalone" instance of a samba server that I am trbl shooting. I have a development version running the latest, 3.6.7 build and am testing with Win7 clients but seem to still be getting latency after multiple files are opened. I will try the temp file default location change though as well. -john At 9:50 AM -0400 8/9/12, Gaiseric Vandal wrote: Did you try enabling the name service caching daemon on the server? (has its pros can cons.) I would also try XP+Office 2010 and WIn 7+ Office 2007 to see if you can shake out which is the actual problem. Also, can you configure office to store temp files on the local PC, and not the same directory as the office file is located. On 08/08/12 16:51, John Goubeaux wrote: Folks, I am running a 3.3.4 version of Samba ( stand alone) on Solaris 10 configured to auth against LDAP for user auth and have recently, after migrating a variety of user desktops to Win7 and MS Office 2010, began seeing an increased latency in opening files. ie previous 3" times are now 30-45 " Users were previously running WinXP and using MS office 2007. Question: Is an upgrade to the latest stable 3.x Ver likely to resolve this OR am I also missing some more stringent security settings I need to address b/c of Win7 ? Any ideas or clues appreciated. -john -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- John Goubeaux Systems Administrator Gevirtz Graduate School of Education UC Santa Barbara Education 4203C 805 893-8190 -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba 3.3.4 - Win7 Latency with MS Office files
Thanks for the ideas ! Does enabling nameservice cacheing mean starting winbindd ? Wondering what the implications of having this running on a network with an actual Win DC running as well are ? Meaning this is a "standalone" instance of a samba server that I am trbl shooting. I have a development version running the latest, 3.6.7 build and am testing with Win7 clients but seem to still be getting latency after multiple files are opened. I will try the temp file default location change though as well. -john At 9:50 AM -0400 8/9/12, Gaiseric Vandal wrote: Did you try enabling the name service caching daemon on the server? (has its pros can cons.) I would also try XP+Office 2010 and WIn 7+ Office 2007 to see if you can shake out which is the actual problem. Also, can you configure office to store temp files on the local PC, and not the same directory as the office file is located. On 08/08/12 16:51, John Goubeaux wrote: Folks, I am running a 3.3.4 version of Samba ( stand alone) on Solaris 10 configured to auth against LDAP for user auth and have recently, after migrating a variety of user desktops to Win7 and MS Office 2010, began seeing an increased latency in opening files. ie previous 3" times are now 30-45 " Users were previously running WinXP and using MS office 2007. Question: Is an upgrade to the latest stable 3.x Ver likely to resolve this OR am I also missing some more stringent security settings I need to address b/c of Win7 ? Any ideas or clues appreciated. -john -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- John Goubeaux Systems Administrator Gevirtz Graduate School of Education UC Santa Barbara Education 4203C 805 893-8190 -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Samba 3.3.4 - Win7 Latency with MS Office files
Folks, I am running a 3.3.4 version of Samba ( stand alone) on Solaris 10 configured to auth against LDAP for user auth and have recently, after migrating a variety of user desktops to Win7 and MS Office 2010, began seeing an increased latency in opening files. ie previous 3" times are now 30-45 " Users were previously running WinXP and using MS office 2007. Question: Is an upgrade to the latest stable 3.x Ver likely to resolve this OR am I also missing some more stringent security settings I need to address b/c of Win7 ? Any ideas or clues appreciated. -john -- John Goubeaux Systems Administrator Gevirtz Graduate School of Education UC Santa Barbara Education 4203C 805 893-8190 -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] password change problem and no logon servers available
> we are using SAMBA 3.6.1-1 (updating this archlinux machine is tooo ugly) > and 3.6.6-1 on archlinux with the LDAP (Server version is 2.4.26-3) backend > and manage the users, groups and computer by using the smbldap-tools. > > Currently we are experiencing the following problems: > > 1. changing the passwords takes longer than 30 seconds <- That's bad > because we are using a gigabit ethernet network! > 2. sometimes windows tells us that the user can't change their passwords at > the current point of time > 3. sometimes windows foces the users to change their passwords (we never > told samba to do it!) > 4. sometimes windows tells us that there are no logon server available! > > Are there any known bugs regarding to these problems? Do you need further > information to investigate this problem? > I do not have any of these bugs on my samba3 based network at work. I believe my PDC and BDCs are samba-3.5.X and I am using the last released openldap 2.3.X release on all 3 ldap servers. John -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] documentation for configuring folder redirection
Well, a key point here is that I am not asking how to do folder redirection.
I'm asking for documentation on how to do folder redirection. I would like
to turn the task of actually configuring folder redirection over to the
Windows system admin. I need a URL I can pass on to him and say, "I got
roaming profiles working. I have configured a redirect share. Now read this
and see if you can get folder redirectin working."
I am beginning to suspect that this document does not exist. I have gotten
several private messages from people who said they were planning to document
it though. :-)
- Original Message -
From: "Daniel Müller"
To: "'John Heim'" ;
Sent: Friday, August 03, 2012 1:45 AM
Subject: Re: [Samba] documentation for configuring folder redirection
You think about something like this (it is tricky beware with windows 7 it
is quiet different), done with kixtart, redirect all folders for clients
other than windows 7:
EX:
;we redirect folders tot he server
;wir setzen ein reg eintrag um zu prüfen ob wir schon was kopiert haben
;zunächst gibt es diesen Eintrag schon?
; we test on windows 7, if windows 7 no redirection
If InStr(@PRODUCTTYPE, "Windows 7")
?"@userID"
;copy "C:\Users\@userID\*" "S:\@userID\"
else
$RETURNCODE=EXISTKEY("HKEY_CURRENT_USER\tpdc")
;if above reg key not exist create it
IF NOT $RETURNCODE=0
ADDKEY("HKEY_CURRENT_USER\tpdc")
;the following entry will be deleted after all is done
ADDKEY("HKEY_CURRENT_USER\tpdc\FIRST_LOGIN")
ENDIF
; do only when FIRST_LOGIN
$RETURNCODE=EXISTKEY("HKEY_CURRENT_USER\tpdc\FIRST_LOGIN")
;IF NOT $RETURNCODE=0 if 0 wenn the entry exists
IF $RETURNCODE=0
;
$RETURNCODE=EXISTKEY("HKEY_CURRENT_USER\tpdc\profile_copied")
IF NOT $RETURNCODE=0
;if there is a profile folder
IF EXIST("\\tpdc\@userID\@userID\profile")
copy "\\tpdc\@userID\@userID\profile\Eigene Dateien\*" "\\tpdc\@userID\"
ENDIF
; windows 7?
IF EXIST("\\tpdc\@userID\@userID\profile.V2")
copy "\\tpdc\@userID\@userID\profile.V2\Eigene Dateien\*" "\\tpdc\@userID\"
ENDIF
;hint that Personal Folders are copied
ADDKEY("HKEY_CURRENT_USER\tpdc\profile_copied")
;set the regs on the server
WRITEVALUE("HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Expl
orer\Shell Folders","Personal","\\tpdc\@userID","REG_SZ")
WRITEVALUE("HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Expl
orer\Shell Folders","My Pictures","\\tpdc\@userID\Meine Bilder","REG_SZ")
WRITEVALUE("HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Expl
orer\Shell Folders","My Music","\\tpdc\@userID\Meine Musik","REG_SZ")
WRITEVALUE("HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Expl
orer\Shell Folders","My Videos","\\tpdc\@userID\Meine Videos","REG_SZ")
WRITEVALUE("HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Expl
orer\User Shell Folders","Personal","\\tpdc\@userID","REG_SZ")
WRITEVALUE("HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Expl
orer\User Shell Folders","My Pictures","\\tpdc\@userID\Meine
Bilder","REG_SZ")
WRITEVALUE("HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Expl
orer\User Shell Folders","My Music","\\tpdc\@userID\Meine Musik","REG_SZ")
WRITEVALUE("HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Expl
orer\User Shell Folders","My Videos","\\tpdc\@userID\Meine Videos","REG_SZ")
;jetzt sollen Server profile nicht mehr lokal gecached werden 16.07.07 wird
über ntconfig.pol abgebildet
;$PFAD="HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Winlogon\"
If InStr(@PRODUCTTYPE, "Windows 7")
WRITEVALUE("HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Winlogon\","DeleteRoamingCache","001","REG_DWORD")
ENDIF
;
ENDIF
;first login delete
$RETURNVALUE=EXISTKEY("HKEY_CURRENT_USER\tpdc\FIRST_LOGIN")
IF $RETURNVALUE=0
DELKEY("HKEY_CURRENT_USER\tpdc\FIRST_LOGIN")
ENDIF
;ENDIF for Win7
ENDIF
---
EDV Daniel Müller
Leitung EDV
Tropenklinik Paul-Lechler-Krankenhaus
Paul-Lechler-Str. 24
72076 Tübingen
Tel.: 07071/206-463, Fax: 07071/206-499
eMail: muel...@tropenklinik.de
Internet: www.tropenklinik.de
---
-Ursprüngliche Nachricht-
Von: samba-boun...@lists.samba.org [mailto:samba-boun...@lists.samba.org] Im
Auftrag von John Heim
Gesende
[Samba] documentation for configuring folder redirection
I believe that once you have roaming profiles configured, all you need to do to configure folder redirection is set some registry keys. I'd like to turn that job over to our Windows sys admin. Can someone provide me with their favorite documentation for configuring folder redirection? Keep in mind I am passing this link along to a Windows sys admin. Our backend is samba 3.6.3 if it matters. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba4: 2DC domain. Which ldap:// address do I use, DC1 or DC2?
On Sun, Jul 29, 2012 at 11:43 AM, steve wrote: > 2 Samb4 DC's joined and replicating great. > Hi > I'm running some Linux scripts on DC2 which I copied from DC1. > > I changed the ldap://address for a script which I copied to DC2 to that of > DC2. If I now deliberately failover DC1, the script on DC2 complains that > the ldap addresss is invalid. > > Do I keep the scripts at the same ldap://address on BOTH DC's? Is, that > correct? I put both ldap servers (actually in my case 3 ldap servers and 3 DCs) on that line on both DCs. John -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Win7 Joining Domain, LDAP Profile Created but Join Fails
> I am back with yet another issue. I am currently running a Samba 3.5.10-125 > PDC on RHEL 6.2. My backend is LDAP, and I am using the smbldap scripts for > dealing with ldap profiles related to my samba instance. Currently I am > able to fully browse all shares, and ID's for the users are mapped just > fine. I run into my problem when attempting to join the domain. It seems > the profile is created in ldap for the workstation as it should, however I > am faced with a windows error stating that "The Specified computer account > could not be found". I have attached my config as well as DebugLevel 10 Log > output when attempting to join. Any ideas as to what I could be doing > wrong, or what could be causing my samba woes, would be greatly appreciated. > Did you enable the registry settings? http://wiki.samba.org/index.php/Windows7 Also does the join succeed the second time? John -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba4: how to build on Virtualbox
> VB with openSUSE 12.1 guest and host, guest with 512Mb RAM. > > Samba4 takes over 6 hours to build on the guest. The host does it in around > 30 minutes even when the guest is fired up. > > I tried to rsync a build from the host to the guest but that takes forever > too. > > Any tips? > I usually give a guest 3+ GB of ram if it will be building anything. Can you increase that? John -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] s3fs vs. zfs
On Tue, Jul 3, 2012 at 10:19 AM, Chris Weiss wrote: > On Tue, Jul 3, 2012 at 9:11 AM, Luiz Gustavo dos S. Costa > wrote: >> Hi all.. >> >> Is possible use the s3fs with ZFS (freebsd) ? how ? > > as I understand it, s3fs isn't a filesystem, it's a file server. it's > basically the samba3 file server code with SMB3 protocol support > merged and integrated into samba4. so just as always, the underlying > filesystem is not very relevant. > -- I believe the issue is freebsd and other non linux zfs implementations come with an integrated cifs server. John -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] smb.conf for around 2500 users
From: "steve"
To:
Sent: Monday, July 02, 2012 4:09 PM
Subject: Re: [Samba] smb.conf for around 2500 users
On 02/07/12 21:17, Matthieu Patou wrote:
On 07/02/2012 08:39 AM, steve wrote:
Samba4 with Linux and Windows clients wanting to get the same home
folder data.
Hi
A college has students arranged with Linux home directories according
to which year they belong to and which class within that year, a or b
or whatever, they belong to e.g.:
/home2/students/year7/year7a/student1
/home2/students/year7/year7a/student2
...
...
/home2/students/year13/year13a/student2500
To get at the same data on windows, I was thinking of a share for each
of the classes e.g.
[year7a]
path = /home2/students/year7/year7a
read only = No
browsable = No
...
...
[year13a]
path = /home2/students/year13/year13a
read only = No
browsable = No
and mapping a drive letter to the share e.g.
map Z: to \\server\year7a\%USERNAME%
That would make lots of shares but would make it readable to non admins.
Is there a limit on the number of shares per installation?
Any other ideas of how to go about it? e.g. I thought about OU's but
we do not want to administer from Windows.
Did you thought about making a new directory ie.
/home2/students/data with a link to each real user and then sharing data
like that
[data]
path = /home2/students/data
read only = No
browsable = No
And then use ADUC or ldbedit to specify the connect to attribute and set
it to \\servername\data\%username%
Hi Matthieu,
That looks promising. Will cifs symlink, or are we still at ext4 level
here?
Are you saying that a real student e.g.
/home2/students/year7/year7a/steve
has a symlink in
/home2/students/data
??
Would that be e.g. for student steve:
ln -s /home2/students/year7/year7a/steve /home2/students/data/steve
(or is the link the other way around?)
All students then have a link in
/home2/students/data/
irrespective of which class they are in.
For all students, I then map, e.g. Z:
to
\\servername\data\%USERNAME%
Am I close?
Well, that would probably work but we have a similar problem and took a
different approach. We configure a net share through a logon script for our
users. In our smb.conf, we configure samba to call a perl script called
sambalogon like this:
root preexec = /usr/local/sbin/sambalogin %U %m %M %G %L
root postexec = rm -f /var/lib/samba/netlogon/%U.bat
The preexec script generates a Windows batch script that maps the user's
home to their X: drive. The postexec command deletes the Windows batch file.
In the perl script, we do an ldap query to get the user's home and then put
a "net use" command into the batch script that maps their home to their X:
drive.
#!/usr/bin/perl
open LOGON, ">/var/lib/samba/netlogon/$user.bat";
print LOGON "\@ECHO OFF\r\n";
my $home = &gethome ($user, $group);
if ($home)
{ print LOGON "NET USE X: $home\\homes\r\n"; }
The exact contents of the gethome function is left as an excersize for the
reader.
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] A device attached to the system is not functioning
On Mon, Jul 2, 2012 at 11:01 AM, Alan Holt wrote: > What does it mean? > This is name of my domain: > > # vi /etc/smbldap-tools/smbldap.conf > > suffix="dc=mydomaine,dc=com" > I am talking about the workgroup setting in smb.conf This should not contain a "." John -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] A device attached to the system is not functioning
On Mon, Jul 2, 2012 at 10:49 AM, Alan Holt wrote: > Dear all, > I was looking a lot around of Internet, but still did not find some > solution for my problem. > I have SAMBA and domain with ldap, everything have been fine until today. > > Like usually I did create new user in domain and tried to get into my > domain on Windows 7 and Windows XP machines. > Then I have got this error: > > "A device attached to the system is not functioning" > I checked SAMBA logs and found this: > > ==> /var/log/samba/xp-8a995003b537.log <== > [2012/07/02 17:38:28.626582, 1] > rpc_server/srv_pipe_hnd.c:1602(serverinfo_to_SamInfo_base) > _netr_LogonSamLogon: user MYDOMAINE.COM\alex has user sid > S-1-5-21-2139989288-483860436-2398042574-3228 >but group sid S-1-5-21-3745118107-2241246581-749181168-513-513. > The conflicting domain portions are not supported for NETLOGON calls > > I guess it's happens because some problems with SID. I did check SID for > user alex: > > # pdbedit -L -v alex > User SID: S-1-5-21-2139989288-483860436-2398042574-3228 > Primary Group SID:S-1-5-21-3745118107-2241246581-*749181168-513*-513 > Domain:MYDOMAIN.COM > > Also I did check SID for my domain: > # net getlocalsid MYDOMAIN .COM > SID for domain MYDOMAIN .COM is: S-1-5-21-3745118107-2241246581-* > 749181168-513* > > So could you please to help to solve this issue? > Thanks. > I do not believe windows likes samba3 / windows nt domains having a "." in the domain name John -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba Platform Support Clarification
David, Samba indeed can be used on a wide range of operating systems to provide file and print interoperability with Microsoft Windows platforms. The Samba source code can be compiled to run on many operating system platforms. In the past is has been built and run on Linux, UNIX (all flavors), VME, VMS, MVE, etc. Samba is included with nearly all Linux distributions whether used natively or in virtual machines. You should be able to obtain Samba binaries (RPM packages) for your z/VM -baed Red Hat Linux system. If not, you may have to build them on your platform. - John T. On 06/15/2012 04:04 PM, David Moss wrote: > > > Good evening. I'm seeking to verify the feasibility of using Samba as a > file and print server running under the Linux operating system (Red Hat or > SUSE), itself running under the System z Virtual Machine (z/VM). The > documentation I've seen seems to indicate that Samba runs under Linux, but > virtually all the specifics seem to speak in terms of UNIX. So I'd > appreciate it for my peace of mind if you could please confirm whether (1) > Samba runs under Linux, and even more specifically if possible, (2) whether > Samba runs under Linux running under z/VM on System z. Thank you for any > clarification you can provide. . > > Regards > > Dave Moss > Senior Certified Executive Systems Architect > Open Group Distinguished Certified IT Architect > System z Client Architect > IBM Corporation 6710 Rockledge Drive > Bethesda, Maryland 20817 > US Federal > (301) 803-62208-262-6220 Cell Phone 703 268 0402 > mo...@us.ibm.com -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Gentoo Linux-installed Samba 4 alpha 21 getting python error
I installed the Samba 4 alpha 21 using the Samba 4 alpha 20 ebuild as a template: When I try to run the samba-tool command, I keep getting *Code:*File "/usr/bin/samba-tool", line 38 except SystemExit, e: ^ SyntaxError: invalid syntax -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Yet another Win7 failing to join the domain...
From: "Hoover, Tony" > CentOS 5 does have a newer samba available. To get it: > yum remove samba > yum install samba3 > or to get really fresh samba, use the SerNet repos. Ah, thx for the info! JD -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Yet another Win7 failing to join the domain...
> I just installed a Windows 7 Pro workstation and failed to join our domain
> ("latest" samba 3.0.33 from CentOS 5.8).
> I tried the 2 lanmanWorkstation registry keys from the wiki and Windows keeps
> saying that he cannot find the domain.
> I see NOTHING in samba logs... no failure message... almost like Windows did
> not even try to talk to it...
> I tried the old way (CompatibleRUP, signorseal, strongkey, secpol "LM/NTLM or
> NTLMv2 if neg") to no avail.
>
> Others Vista can join "without problem".
> I can mount shares manually
>
> I read the samba wiki and did not see this version as tested, apart from the
> "and other versions".
> Is it supposed to work or do I need to install a newer version (non CentOS
> provided)?
>
I would upgrade samba. 3.0.33 came out years before Windows 7.
John
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
[Samba] Yet another Win7 failing to join the domain...
Hi,
I just installed a Windows 7 Pro workstation and failed to join our domain
("latest" samba 3.0.33 from CentOS 5.8).
I tried the 2 lanmanWorkstation registry keys from the wiki and Windows keeps
saying that he cannot find the domain.
I see NOTHING in samba logs... no failure message... almost like Windows did
not even try to talk to it...
I tried the old way (CompatibleRUP, signorseal, strongkey, secpol "LM/NTLM or
NTLMv2 if neg") to no avail.
Others Vista can join "without problem".
I can mount shares manually
I read the samba wiki and did not see this version as tested, apart from the
"and other versions".
Is it supposed to work or do I need to install a newer version (non CentOS
provided)?
Thx,
JD
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] PDC How to change workstation setting?
> Got it, I will give a try, thanks!!! > One easy way to do that is Ldap account manager. http://www.ldap-account-manager.org/lamcms/changelog John -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Linux to Windows Interoperability
> Curious to know if Samba is able to support communication (read/write) with > external media formatted EXT3 (Linux volume) from within the MS Windows > environment? > I am not sure samba works on a windows machine. I mean you would have to disable the Server service and probably a few more since Samba replaces these. John -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Grant only one AD group to samba share ?
>Which version of Samba are you using? Samba version 3.5.11 >What does the idmap backend configuration for winbind look like? Well.. I'm not really sure what that is (I inherited this project). In smb.conf all he has here is: idmap uid = 1-2 idmap gid=1-2 I don't see idmap backend = set at all in here. That is probably a big part of the problem isn't it? >Does testparm yield any errors? ERROR: the 'winbind separator' parameter must be a single character.Hmm.. I just changed that to a single \ , and our existing authentication service still works fine, but the share behaves no differently. The extra \ was probably in error from this file being edited with sed. >Do getent group and wbinfo -g return the expected results? getent group shows all of the local linux groups on this machine - no AD groups. Is that expected? wbinfo -g shows the windows groups fine, the only thing that's odd is is all of the groups on this domain show in lower case. They may or may not be that way in their AD, I can't see for sure. (We are forcing a linux machine into someones windows network ) >Are nsswitch.conf and PAM configured for authentication? For what kind of authentication? /etc/nsswitch and /etc/pam/* are untouched from the defaults. All that has really been setup so far is an apache service that uses mod_auth_ntlm_winbind to authenticate users of a webpage to their DC. We are now trying to expand that samba/winbind stack over into sharing a folder. So, we probably do need to look at modifying those files, and id mapping, to have a samba share authenticate against the DC. Right? For some reason I figured this part would just work since the join already happened. Thanks again! -Original Message- From: Dale Schroeder [mailto:d...@briannassaladdressing.com] Sent: Tuesday, May 22, 2012 14:51 To: Newman, John W Cc: samba@lists.samba.org Subject: Re:[Samba] Grant only one AD group to samba share ? A few questions that might narrow things - Which version of Samba are you using? What does the idmap backend configuration for winbind look like? Does testparm yield any errors? Do getent group and wbinfo -g return the expected results? Are nsswitch.conf and PAM configured for authentication? http://www.enterprisenetworkingplanet.com/netsysm/article.php/3502441/Join-Linux-to-Active-Directory-With-Winbind.htm On 05/22/2012 1:01 PM, Newman, John W wrote: > Thanks.. > > Unfortunately neither suggestion worked > > chgrp still just says "invalid group" > > valid users = @"DOMAIN\\My Group" behaves the same as I described in the OP. > Valid credentials = access denied ; invalid credentials = invalid name or > bad password.I already tried all sorts of things in valid users, but > nothing is the magic string I need. > > Any other ideas? > > Thanks for the help so far, much appreciated!! > > -Original Message- > From: samba-boun...@lists.samba.org > [mailto:samba-boun...@lists.samba.org] On Behalf Of steve > Sent: Tuesday, May 22, 2012 04:59 > To: samba@lists.samba.org > Subject: Re: [Samba] Grant only one AD group to samba share ? > > On 21/05/12 23:36, Dale Schroeder wrote: >> On 05/21/2012 3:42 PM, Newman, John W wrote: > >>> Thanks for the suggestion, but .. that doesn't work ... >>> >>> >>> chgrp My\ Group /media/share >>> chgrp: invalid group: `My Group' >>> >>> >>> "My Group" is a windows AD group, not a local linux group. The >>> machine is "joined" to the windows domain through "net ads join", >>> but I don't think the security is that tightly integrated. I don't >>> have windows groups mapped to linux groups I've created or anything like >>> that. >>> chgrp is expecting a linux group. Right? >>> >>> Probably I am missing something, or you guys need more information. >>> Any thoughts? > Hi > Sorry. I forgot about winbind (we use nss-pam-ldapd). With winbind running > that should read: > > chgrp MYDAOMAIN\\My\ Group /media/share > > Cheers, > Steve > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba > -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Grant only one AD group to samba share ?
Thanks.. Unfortunately neither suggestion worked chgrp still just says "invalid group" valid users = @"DOMAIN\\My Group" behaves the same as I described in the OP. Valid credentials = access denied ; invalid credentials = invalid name or bad password.I already tried all sorts of things in valid users, but nothing is the magic string I need. Any other ideas? Thanks for the help so far, much appreciated!! -Original Message- From: samba-boun...@lists.samba.org [mailto:samba-boun...@lists.samba.org] On Behalf Of steve Sent: Tuesday, May 22, 2012 04:59 To: samba@lists.samba.org Subject: Re: [Samba] Grant only one AD group to samba share ? On 21/05/12 23:36, Dale Schroeder wrote: > On 05/21/2012 3:42 PM, Newman, John W wrote: >> Thanks for the suggestion, but .. that doesn't work ... >> >> >> chgrp My\ Group /media/share >> chgrp: invalid group: `My Group' >> >> >> "My Group" is a windows AD group, not a local linux group. The >> machine is "joined" to the windows domain through "net ads join", but >> I don't think the security is that tightly integrated. I don't have >> windows groups mapped to linux groups I've created or anything like that. >> chgrp is expecting a linux group. Right? >> >> Probably I am missing something, or you guys need more information. >> Any thoughts? Hi Sorry. I forgot about winbind (we use nss-pam-ldapd). With winbind running that should read: chgrp MYDAOMAIN\\My\ Group /media/share Cheers, Steve -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Grant only one AD group to samba share ?
OK, I definitely am missing something. the group IDs do seem to work somewhat, but perhaps I just have the wrong syntax. I keep going back to these two lines that he put there a long time ago: winbind separator = \\ winbind use default domain = yes I see others using & or % or @ ... wbinfo -Y $(wbinfo -n "`wbinfo -g | grep Group`" | cut -d " " -f 1) 10005 so the SID mapping is somehow happening. It's weird though as each time I call that with a different group name, the 1 number just goes up by one. Like it is making up the unix IDs as it goes and perhaps something isn't set right. Shouldn't all of the AD groups be tied to a unix ID automatically, and not just making them up one at a time? Anyway, I'm not sure if that relates to my real problem here or not. I understand the nix security model pretty well ... windows not so much .. and bringing windows permissions into a nix machine, not at all!! :D This was all set up by another dev who is no longer in our department, I am trying to make sense of it and enhance it. Steve's suggestion below is probably correct to set the permissions on the share how I need, but what am I missing to get that chgrp command to work right? Thanks -Original Message- From: samba-boun...@lists.samba.org [mailto:samba-boun...@lists.samba.org] On Behalf Of Newman, John W Sent: Monday, May 21, 2012 15:43 To: 'steve'; samba@lists.samba.org Subject: Re: [Samba] Grant only one AD group to samba share ? Thanks for the suggestion, but .. that doesn't work ... chgrp My\ Group /media/share chgrp: invalid group: `My Group' "My Group" is a windows AD group, not a local linux group. The machine is "joined" to the windows domain through "net ads join", but I don't think the security is that tightly integrated. I don't have windows groups mapped to linux groups I've created or anything like that.chgrp is expecting a linux group. Right? Probably I am missing something, or you guys need more information. Any thoughts? -Original Message- From: samba-boun...@lists.samba.org [mailto:samba-boun...@lists.samba.org] On Behalf Of steve Sent: Monday, May 21, 2012 11:57 To: samba@lists.samba.org Subject: Re: [Samba] Grant only one AD group to samba share ? On 05/21/2012 05:20 PM, Newman, John W wrote: > All, > > On my ubuntu linux machine here, I already have samba set up and > configured with winbind to perform authentication against the local windows > domain controller. Thankfully that part is all working fine - that was > supposed to be the hard part. The issue I have now is: I need to grant > members of a certain AD group access to share (this was supposed to be easy, > but is not working) sanity check of winbind (sample output): > $ wbinfo -g > MYDOMAIN\domain admins > MYDOMAIN\domain users > MYDOMAIN\my group > MYDOMAIN\my group2 > Looks good. I need to grant all users in "my group" access to the share, all > others shouldn't even see it. > > [share] >comment = Testing >path = /media/share >guest ok = no >read only = yes >valid users = @"MYDOMAIN\My Group" >browseable = no >locking = no > If I put guest ok = yes, everything works fine. If I turn it to no, I get an > authentication prompt. Answering it with invalid credentials comes back with > "invalid user name or bad password", vs valid credentials says "access > denied". So I know that the authentication with the domain controller is > working fine, but limiting access to that group only is not. > > The group name has a space in it which probably isn't helping. I have tried > many different combinations, but nothing seems to work. What is the proper > syntax for this? We have winbind separator=\ earlier in tthinkhe config file > -- is that part of the problem maybe? >valid users = @"MYDOMAIN\My Group" >valid users = "@MYDOMAIN\My Group" >valid users = "MYDOMAIN\My Group" > etc > nothing seems to work. My methodology for testing this is fine as soon as i > put guest ok =yes, the share still works. What's the right syntax for valid > users= "My Domain\My Group"?Any thoughts? > Thanks, > John Hi You don't really need smb.conf to get group only entry. Just have smb.conf with: [share] comment = Testing path = /media/share read only = No chgrp My\ Group /media/share chmod 0770 /media/share chmod g+s /media/share setfacl -d -Rm g::rw /media/share Now, only members of My Group can get into the share, no matter what you have in smb.conf. Once inside, any files created therein become group rw for My Group members. HTH Steve -- To unsubscribe from this list go to
Re: [Samba] Grant only one AD group to samba share ?
Thanks for the suggestion, but .. that doesn't work ... chgrp My\ Group /media/share chgrp: invalid group: `My Group' "My Group" is a windows AD group, not a local linux group. The machine is "joined" to the windows domain through "net ads join", but I don't think the security is that tightly integrated. I don't have windows groups mapped to linux groups I've created or anything like that.chgrp is expecting a linux group. Right? Probably I am missing something, or you guys need more information. Any thoughts? -Original Message- From: samba-boun...@lists.samba.org [mailto:samba-boun...@lists.samba.org] On Behalf Of steve Sent: Monday, May 21, 2012 11:57 To: samba@lists.samba.org Subject: Re: [Samba] Grant only one AD group to samba share ? On 05/21/2012 05:20 PM, Newman, John W wrote: > All, > > On my ubuntu linux machine here, I already have samba set up and > configured with winbind to perform authentication against the local windows > domain controller. Thankfully that part is all working fine - that was > supposed to be the hard part. The issue I have now is: I need to grant > members of a certain AD group access to share (this was supposed to be easy, > but is not working) sanity check of winbind (sample output): > $ wbinfo -g > MYDOMAIN\domain admins > MYDOMAIN\domain users > MYDOMAIN\my group > MYDOMAIN\my group2 > Looks good. I need to grant all users in "my group" access to the share, all > others shouldn't even see it. > > [share] >comment = Testing >path = /media/share >guest ok = no >read only = yes >valid users = @"MYDOMAIN\My Group" >browseable = no >locking = no > If I put guest ok = yes, everything works fine. If I turn it to no, I get an > authentication prompt. Answering it with invalid credentials comes back with > "invalid user name or bad password", vs valid credentials says "access > denied". So I know that the authentication with the domain controller is > working fine, but limiting access to that group only is not. > > The group name has a space in it which probably isn't helping. I have tried > many different combinations, but nothing seems to work. What is the proper > syntax for this? We have winbind separator=\ earlier in tthinkhe config file > -- is that part of the problem maybe? >valid users = @"MYDOMAIN\My Group" >valid users = "@MYDOMAIN\My Group" >valid users = "MYDOMAIN\My Group" > etc > nothing seems to work. My methodology for testing this is fine as soon as i > put guest ok =yes, the share still works. What's the right syntax for valid > users= "My Domain\My Group"?Any thoughts? > Thanks, > John Hi You don't really need smb.conf to get group only entry. Just have smb.conf with: [share] comment = Testing path = /media/share read only = No chgrp My\ Group /media/share chmod 0770 /media/share chmod g+s /media/share setfacl -d -Rm g::rw /media/share Now, only members of My Group can get into the share, no matter what you have in smb.conf. Once inside, any files created therein become group rw for My Group members. HTH Steve -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Grant only one AD group to samba share ?
All, On my ubuntu linux machine here, I already have samba set up and configured with winbind to perform authentication against the local windows domain controller. Thankfully that part is all working fine - that was supposed to be the hard part. The issue I have now is: I need to grant members of a certain AD group access to share (this was supposed to be easy, but is not working) sanity check of winbind (sample output): $ wbinfo -g MYDOMAIN\domain admins MYDOMAIN\domain users MYDOMAIN\my group MYDOMAIN\my group2 Looks good. I need to grant all users in "my group" access to the share, all others shouldn't even see it. [share] comment = Testing path = /media/share guest ok = no read only = yes valid users = @"MYDOMAIN\My Group" browseable = no locking = no If I put guest ok = yes, everything works fine. If I turn it to no, I get an authentication prompt. Answering it with invalid credentials comes back with "invalid user name or bad password", vs valid credentials says "access denied". So I know that the authentication with the domain controller is working fine, but limiting access to that group only is not. The group name has a space in it which probably isn't helping. I have tried many different combinations, but nothing seems to work. What is the proper syntax for this? We have winbind separator=\ earlier in the config file -- is that part of the problem maybe? valid users = @"MYDOMAIN\My Group" valid users = "@MYDOMAIN\My Group" valid users = "MYDOMAIN\My Group" etc nothing seems to work. My methodology for testing this is fine as soon as i put guest ok =yes, the share still works. What's the right syntax for valid users= "My Domain\My Group"?Any thoughts? Thanks, John -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Windows 7 often creates new user profiles
On Sat, May 12, 2012 at 11:47 AM, Christian Meier wrote: > Hi, > > we're using Samba 3.5.6 (Debian). > > Windows 7 clients often create new roaming profiles for existing users for no > identifiable reason. Windows XP isn't affected. > > Is this a known problem? > I have never ever had that happen in the 2+ years I had windows 7 machines on my samba based domain. John -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Custom SAMBA4/OpenChage ZEG applicance
Question following HowTo build your own OpenChange/SOGo appliance: I have been building my own SAMBA4/OpenChange appliance *MOSTLY* following the instructions at http://tracker.openchange.org/projects/openchange/wiki/HowTo_build_your_own_OpenChangeSOGo_appliance . I am using Ubuntu-Server 12.04 LTS (Precise Pangolin) precise-server-amd64.iso OpenChange from svn co -r 3923 https://svn.openchange.org/openchange/branches/sogo SAMBA4 - Samba-4.0.0Alpha18 At the step titled "Configure DNS service" # cd /etc/bind # mkdir samba # cp /usr/local/samba/private/named.* samba/ # cp –rfi /usr/local/samba/private/dns samba/ my named.* files are actually in "/usr/local/samba/share/setup/" (no big deal) logically I would assume my dns files would be in "/usr/local/samba/share/setup/dns" but no cookie :( Find reveals: find / -name "dns" /openchange/sogo/samba4/lib/dnspython/dns /openchange/sogo/samba4/libcli/dns /openchange/sogo/samba4/bin/default/libcli/dns /openchange/sogo/samba4/bin/default/source4/dsdb/dns /openchange/sogo/samba4/source4/selftest/provisions/alpha13/private/dns /openchange/sogo/samba4/source4/dsdb/dns /usr/share/pyshared/dns /usr/lib/python2.7/dist-packages/dns /usr/src/linux-headers-3.2.0-23-generic/include/config/ceph/lib/use/dns /usr/src/linux-headers-3.2.0-23-generic/include/config/dns Does anyone know the correct dns file or directory to copy to the bind directory? Thanks -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Custom SAMBA4/OpenChage ZEG applicance
I already have... and it works great!! But the project that I am using it with has requirements that are beyond the scope of what this appliance is designed for. One of those being built on an Ubuntu LTS/Debian release. I have been trying to get this appliance working since last year using Lucid only to conclude that too many PPAs are required to make it work (primarily bind9 and python2.7). On Mon, Apr 23, 2012 at 2:08 AM, Daniel Müller wrote: > SOGo/Openchange has his own RC1!? > Why don’t use it? > > Daniel > > > --- > EDV Daniel Müller > > Leitung EDV > Tropenklinik Paul-Lechler-Krankenhaus > Paul-Lechler-Str. 24 > 72076 Tübingen > > Tel.: 07071/206-463, Fax: 07071/206-499 > eMail: muel...@tropenklinik.de > Internet: www.tropenklinik.de > --- > -Ursprüngliche Nachricht- > Von: samba-boun...@lists.samba.org [mailto:samba-boun...@lists.samba.org] > Im > Auftrag von John Russell > Gesendet: Samstag, 21. April 2012 17:11 > An: samba@lists.samba.org > Betreff: [Samba] Custom SAMBA4/OpenChage ZEG applicance > > Question following HowTo build your own OpenChange/SOGo appliance: > I have been building my own SAMBA4/OpenChange appliance *MOSTLY* following > the instructions at > > http://tracker.openchange.org/projects/openchange/wiki/HowTo_build_your_own_ > OpenChangeSOGo_appliance > . > > I am using Ubuntu-Server 12.04 LTS (Precise Pangolin) > precise-server-amd64.iso OpenChange from svn co -r 3923 > https://svn.openchange.org/openchange/branches/sogo > SAMBA4 - Samba-4.0.0Alpha18 > > At the step titled "Configure DNS service" > # cd /etc/bind > # mkdir samba > # cp /usr/local/samba/private/named.* samba/ # cp –rfi > /usr/local/samba/private/dns samba/ > > my named.* files are actually in "/usr/local/samba/share/setup/" (no big > deal) > logically I would assume my dns files would be in > "/usr/local/samba/share/setup/dns" but no cookie :( > > Find reveals: > find / -name "dns" > /openchange/sogo/samba4/lib/dnspython/dns > /openchange/sogo/samba4/libcli/dns > /openchange/sogo/samba4/bin/default/libcli/dns > /openchange/sogo/samba4/bin/default/source4/dsdb/dns > /openchange/sogo/samba4/source4/selftest/provisions/alpha13/private/dns > /openchange/sogo/samba4/source4/dsdb/dns > /usr/share/pyshared/dns > /usr/lib/python2.7/dist-packages/dns > /usr/src/linux-headers-3.2.0-23-generic/include/config/ceph/lib/use/dns > /usr/src/linux-headers-3.2.0-23-generic/include/config/dns > > Does anyone know the correct dns file or directory to copy to the bind > directory? > > Thanks > > > > -- > "It's better to be boldly decisive and risk being wrong than to agonize at > length and be right too late." > Marilyn Moats Kennedy > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba > > -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Custom SAMBA4/OpenChage ZEG applicance
Question following HowTo build your own OpenChange/SOGo appliance: I have been building my own SAMBA4/OpenChange appliance *MOSTLY* following the instructions at http://tracker.openchange.org/projects/openchange/wiki/HowTo_build_your_own_OpenChangeSOGo_appliance . I am using Ubuntu-Server 12.04 LTS (Precise Pangolin) precise-server-amd64.iso OpenChange from svn co -r 3923 https://svn.openchange.org/openchange/branches/sogo SAMBA4 - Samba-4.0.0Alpha18 At the step titled "Configure DNS service" # cd /etc/bind # mkdir samba # cp /usr/local/samba/private/named.* samba/ # cp –rfi /usr/local/samba/private/dns samba/ my named.* files are actually in "/usr/local/samba/share/setup/" (no big deal) logically I would assume my dns files would be in "/usr/local/samba/share/setup/dns" but no cookie :( Find reveals: find / -name "dns" /openchange/sogo/samba4/lib/dnspython/dns /openchange/sogo/samba4/libcli/dns /openchange/sogo/samba4/bin/default/libcli/dns /openchange/sogo/samba4/bin/default/source4/dsdb/dns /openchange/sogo/samba4/source4/selftest/provisions/alpha13/private/dns /openchange/sogo/samba4/source4/dsdb/dns /usr/share/pyshared/dns /usr/lib/python2.7/dist-packages/dns /usr/src/linux-headers-3.2.0-23-generic/include/config/ceph/lib/use/dns /usr/src/linux-headers-3.2.0-23-generic/include/config/dns Does anyone know the correct dns file or directory to copy to the bind directory? Thanks -- "It's better to be boldly decisive and risk being wrong than to agonize at length and be right too late." Marilyn Moats Kennedy -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Samba 3.0.33 works, 3.5.4 doesn't
I'm trying to get AD authentication working on a RHEL 5.4 base system
I can wbinfo -[ug] and getent {passwd|group} with 3.0.33 Everything
appears to work just fine, except I could not actually authenticate...
I'd always get failed password. A lot of Googling turned up a bug that
indicated that it was impossible to get 3.0.33 to authenticate against a
W2K8 AD, so I installed 3.5.4 Same smb.conf, same krb5.conf... but I
cannot join the domain. net ads status works, but net ads join tells
me:
Failed to join domain: failed to lookup DC info for domain 'MY.DOMAIN'
over rpc: Invalid workstation
Googling that error leads to a very few responses, none of which help
me. What is the "invalid workstation", and how do I make it valid? :-)
smb.conf:
[global]
workgroup = MY
password server = 192.168.2.22
realm = MY.DOMAIN
security = ads
idmap uid = 1-2
idmap gid = 1-2
client ntlmv2 auth = yes
disable netbios = yes
smb ports = 445
winbind use default domain = yes
winbind offline logon = yes
winbind trusted domains only = no
winbind enum users = yes
winbind enum groups = yes
passdb backend = tdbsam
krb5.conf:
[libdefaults]
default_realm = MY.DOMAIN
dns_lookup_realm = false
dns_lookup_kdc = false
ticket_lifetime = 24h
forwardable = yes
[realms]
MY.DOMAIN = {
kdc = ad1.my.domain:88
admin_server = ad1.my.domain:749
default_domain = my.domain
}
[domain_realm]
.my.domain = MY.DOMAIN
my.domain = MY.DOMAIN
[appdefaults]
pam = {
debug = false
ticket_lifetime = 36000
renew_lifetime = 36000
forwardable = true
krb4_convert = false
}
--
***
* John Oliver http://www.john-oliver.net/ *
* *
***
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] UID/GID mapping consistency across at least two Linux machines
> I also only use ldap the same way without any winbind. > For years I used to do that however my domain member servers (not PDCs / BDCs) would not enumerate the users correctly for the windows security tab without using winbind. Does this work for you? John -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] trust relationship between this workstation and the primary domain failed
> Still not working after readding machines to the domain. Errors are the > same as originally posted in /var/log/messages. > Please forget my advice. I thought you had a different problem. I should not reply to posts while distracted.. I do not know how to solve your issue. John -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] trust relationship between this workstation and the primary domain failed
On Tue, Apr 10, 2012 at 9:46 AM, clinton propst wrote: > > Thannks for the reply. Set the the reg key below and rebooted. Issue > still not resolved. From reading that post it looks like that was a fix > for windows 7. Our windows 7 workstations and server 2008 can access samba > shares, but xp and server 2000 cannot. > > HKLM\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters > DisablePasswordChange = dword:1 > > You have to re add all machines affected machines to the domain. John -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] trust relationship between this workstation and the primary domain failed
On Tue, Apr 10, 2012 at 8:43 AM, clinton propst wrote: > Samba shares work for windows 7 and Server 2008, but XP and Server 2000 > recieve the following error when trying to map samba shares: > > "The trust relationship between this workstation and the primary domain > failed." > > tail -f /var/log/messages > Apr 10 07:38:03 samba01 smbd[23581]: connect_to_domain_password_server: > unable to open the domain client session to machine ad1.strat.com. Error was > : NT_STATUS_ACCESS_DENIED. > Apr 10 07:38:03 samba01 smbd[23581]: [2012/04/10 07:38:03.788387, 0] > rpc_client/cli_pipe.c:4163(cli_rpc_pipe_open_schannel) > Apr 10 07:38:03 samba01 smbd[23581]: cli_rpc_pipe_open_schannel: failed to > get schannel session key from server ad1.strat.com for domain ARN. > Apr 10 07:38:03 samba01 smbd[23581]: [2012/04/10 07:38:03.788601, 0] > auth/auth_domain.c:188(connect_to_domain_password_server) > Apr 10 07:38:03 samba01 smbd[23581]: connect_to_domain_password_server: > unable to open the domain client session to machine ad1.strat.com. Error was > : NT_STATUS_ACCESS_DENIED. > Apr 10 07:38:03 samba01 smbd[23581]: [2012/04/10 07:38:03.789152, 0] > auth/auth_domain.c:289(domain_client_validate) Apr 10 07:38:03 samba01 > smbd[23581]: domain_client_validate: Domain password server not available > > Samba 3.5.10 > RHEL 6.2 > > Any help is appreciated. http://lists.samba.org/archive/samba/2010-October/158591.html -- John M. Drescher -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Chown
> Hello list, i did try to assign permission to folder for some users in > samba4 as BDC, for example > chown sandy Temp/ > chown: invalid user: `sandy' > > when sandy is a users create in active directory, why sayme that sandy is > invalid users > It sounds like you do not have your nsswitch setup to use winbind. John -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Fwd: windows 7 roaming profiles
> Isn't there a way with group policies to have the client delete the > roaming profile after the user logs out. I think that would solve the > OP''s problem. Yes, there's a way to do that. But it doesn't solve the problem of having to transfer maybe hundreds of megabytes or even worse each time you log in to the domain. Back when the idea of roaming profiles was first put to practice (Windows 2000), user profiles were MUCH smaller than they are today. So, the use of roaming profiles with folder redirection seems to me the most appropriate way to deal with this. Please note that the "Local Settings" component of the profile should not be redirected. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] windows 7 roaming profiles
>> Of the three you mention above, which one corresponds to 'always read >> the profle from the server and store nothing on the local disk'? > > > None... > Isn't there a way with group policies to have the client delete the roaming profile after the user logs out. I think that would solve the OP''s problem. John -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Debugging tdb_oob log messages in samba 3.6
Hello samba list, We're trialling Samba 3.6 and on some of our systems I see the following type of messages in the smbd and winbind logs: [2012/03/16 17:28:59.038177, 0] ../lib/util/tdb_wrap.c:65(tdb_wrap_log) tdb(/var/lib/samba/messages.tdb): tdb_oob len 663932 beyond eof at 12288 [2012/03/16 17:28:59.038331, 0] ../lib/util/tdb_wrap.c:65(tdb_wrap_log) tdb(/var/lib/samba/messages.tdb): tdb_oob len 663932 beyond eof at 12288 [2012/03/16 17:28:59.038408, 0] ../lib/util/tdb_wrap.c:65(tdb_wrap_log) tdb(/var/lib/samba/messages.tdb): tdb_oob len 663932 beyond eof at 12288 These messages also appear to coincide with a very long time to open up the properties panel of a file or directory on the Windows clients (a mix of Win7 and Server 2008). I poked around with increased logging levels and did some googling but nothing really relevent seems to pop up. This feels like a bug to me, but I don't feel like I have enough information to report it as such. I'd like to know what to do in order to provide you all with more detailed information about this issue. I'm happy to try and provide more information, I'm just not sure what is relevant at this point. Our systems are running Fedora 14 with Samba RPMs of the following versions: libtalloc-2.0.7 libtdb-1.2.9 samba-winbind-clients-3.6.3 samba-3.6.3 samba-client-3.6.3 samba-common-3.6.3 samba-winbind-3.6.3 For now we get along with stopping the samba services, and removing /var/lib/samba/messages.tdb before restarting them. This clears the issue up right away but it "comes back" intermittantly. I have not been able to narrow down a cause. Any help would be greatly appreciated. --John M. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Cifs mount in samba
> Hi people! > Help me please with a cifs mount in samba. When I mount a cifs resource to a > folder which is a part of samba share, users get all folders in it as zero > files. They press F5 or refresh, and folders become ordinary ones. The issue > repeats with all folders inside it. How to resolv this issue? > I would use a dfs link inside your share instead. John -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] problem with created file permissions
After struggling with my smb.conf for a while, I feel I am missing
something fundamental about how 'create mask' and 'force create mode'
work.
I have a dropbox-style share (which is working), which uses 'security
= share', and I would like to specify certain permissions on files
created in this share.
In both of the below examples, files always get created with 744
permissions ('-rwxr--r--').
# example 1
[myshare]
comment = my share
path = /path/to/myshare
public = yes
read only = no
writable = yes
browseable = yes
printable = no
force create mode = 0777
create mask = 0777
# example 2
# identical to the above, except for the last two lines, which are instead:
force create mode =
create mask =
Is there a piece of the puzzle I am missing here?
I don't actually want the above permissions ultimately, of course, but
hopefully they demonstrate that I am failing to get it to work at all.
This is samba 3.5, running on FreeBSD 7.2-RELEASE.
I can provide more details of my smb.conf, if that will help.
Sorry if this seems very basic, but my own research is not proving helpful yet.
Thanks
-John
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Proposal to change security=share in Samba 4.0
On 02/27/2012 04:58 AM, Andrew Bartlett wrote: > I recently proposed on samba-technical that for Samba 4.0, that we > change security=share to have the following semantics: > > - All connections are made as the guest user > - No passwords are required, and no other accounts are available. > > Naturally, full user-name/password authentication remain available in > security=user and above. > > The rationale is that we need a very simple way to run a 'trust the > network' Samba server, where users mark shares as guest ok. I want to > keep these simple configurations working. > > At the same time, I want to close the door on one of the most arcane > areas of Samba authentication. The problem comes from the fact that > Samba never implemented security=share properly: instead of having one > password per share, we tried to guess the username, and match that to a > username/password pair. > > Not only is this code complex, it begins to fail with modern clients and > modern security settings. For example, NTLMv2 relies on the username > and workgroup, but clients which send NTLMv2 do not send these in the > 'tree connect' request that contains the password. Instead, we must > remember the previous unchecked 'session setup', and apply the password > from there. If we instead guess the username, then NTLMv2 will not > work. > > Finally, Samba clients only send LM passwords to security=share servers. > LM passwords are very insecure, and are now off by default. As such, > Samba clients will not connect to any server running security=share by > default. > > If you use security=share, and feel that your particular configuration > cannot be handled any other way, please let me know, so we can find the > best to handle your particular requirements. > > Thanks, > > Andrew Bartlett Is there any reason we can not do away with "security = share" and get rid of this altogether? Was there not a prior proposal to deprecate this back in the early days of 3.0.x? - John T. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] pam_smbldap problem
tls on :-( It does the same if I connect through the local ldap server when it gets refered to an ldaps connection. To test I changed the referal in slapd.conf to ldap:/./ and it worked. Any suggestions on how to fix or debug? John -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Winbind multiple client authentication
Hello, I have two CentOS 5.6 clients I'm trying to join to my Active Directory domain for authentication. I have configured my smb.conf like: realm = SYSLAB.DC idmap backend = rid idmap uid = 1-2 idmap gid = 1-2 and have been able to join both to the domain via: kinit administra...@syslab.dc net ads join -U Administrator Then I added krb5 to pam.d auth section and configured passwd, group and shadow in nsswitch.conf for "compat winbind". This works fine on the first configured client, but the second one always says it is unable to resolve the accounts to a uid/gid pair, even though manual tests like "getent passwd Administrator" work. HOWEVER, one oddity in my setup is that the second client is a virtual machine clone of the first... Is it possible that as a result samba joined the second computer with a kerberos property that conflicts with the first client's AD object? Is it not possible to have a cloned virtual machine authenticate in this way at the same time as its original (mac address and IP are unique)? Thanks for any advice you can offer, please cc me when replying as I receive list postings in digest. -- Best Regards, John Musbach -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] smbpasswd not working
On Fri, Jan 20, 2012 at 2:15 AM, Helmut Hullen wrote: > Hallo, John, > > Du meintest am 20.01.12: > > > root@hayek:~# smbpasswd john > > New SMB password: > > Retype new SMB password: > > Failed to find entry for user john. > > > This is despite the existence of the user > > root@hayek:~# cat /etc/samba/smbpasswd > > # > > # SMB password file. > > # > > nobody:65534:XXXX:XXX > > X:[U ]:LCT-:nobody > > john:1000:XXXX:XX > > XX:[U ]:LCT-:John Tate,,, > > Tells > >pdbedit -Lw -u john > > the same contents? > And - please - don't show this contents (at least the unchanged > contents); it's very simple to restore the original password from this > contents. > > Additional (related to Volkers answer): what tells > >testparm -sv 2>/dev/null | grep backend > > root@hayek:~# testparm -sv 2>/dev/null | grep backend > passdb backend = tdbsam > idmap backend = tdb > idmap config * : backend = tdb > > Yeah I'm using a different backend to what I thought. I've actually not configured samba on Linux in a long time. Some things have changed it seems I'll just have to catch up on the docs. I know what area I'm wrong in now so thanks. > Viele Gruesse! > Helmut > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba > -- www.johntate.org -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Ignoring unknown parameter "hosts equiv"
> I tried to remove everything related to printing and didnt change a thing. > Can still print from every pc directly via lan and that error message keeps > filling up my logs. > > What did I miss? > > hosts equiv = 10.0.0.1/24 Remove the above line. John -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] smbpasswd not working
When I used smbpasswd it gives me the following error... root@hayek:~# smbpasswd john New SMB password: Retype new SMB password: Failed to find entry for user john. This is despite the existence of the user root@hayek:~# cat /etc/samba/smbpasswd # # SMB password file. # nobody:65534:::[U ]:LCT-:nobody john:1000:::[U ]:LCT-:John Tate,,, I do not understand what is going on. I really need to get this working. John Tate -- www.johntate.org -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Rejecting auth request from client xxx machine account, win7,
On Tue, Jan 17, 2012 at 5:59 AM, ESGLinux wrote: > Hi All, > > I have a strange problem with my SAMBA server as PDC. > > > I have some win7 machines joined to my domain but when I try to access some > folders on the server I get messages like these: > > Authentication for user [machine$] -> [machine$] FAILED with error > NT_STATUS_WRONG_PASSWORD > > [2012/01/17 11:34:52, 0] > rpc_server/srv_netlog_nt.c:_netr_ServerAuthenticate2(555) > _netr_ServerAuthenticate2: netlogon_creds_server_check failed. Rejecting > auth request from client machine machine account machine$ > > > I have added the machine to the LDAP, > > I have only the problem with the win7 machines. I think the problem has > begun some days ago. Before It works fine (win7 update perhaps?) > > I have checked this url: > http://wiki.samba.org/index.php/Windows7 > > But it does not solve the problem. > > I have samba-3.3.7-1 installed. > > I have not idea which can be the problem, any help from there? > > Thanks in advance > Have the windows 7 machines been in the domain for more than 30 days? If so the machine password update can cause this. I believe if no user is logged in and a machine password update happens from the client, samba will not accept the change. At work I had to disable machine password updates on all windows 7 machines to avoid this. http://lists.samba.org/archive/samba/2010-October/158590.html John John -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Fwd: Newbie question but an Easy one
Please send all questions to the list as well. I can not always answer in a timely fashion. -- Forwarded message -- From: Craig Ham Date: Wed, Jan 11, 2012 at 3:36 PM Subject: Re: [Samba] Newbie question but an Easy one To: John Drescher John So I've got Ubuntu and Samba server up and running. I create a user in linux and on samba, both same username and password. I get to a workstation and double click the server name, I enter the samba username and password but fail to log in. What am I missing? On Tue, Nov 22, 2011 at 12:51 PM, John Drescher wrote: > > > Our school needs to replace our Novell server. > > We have a collection of XP Pro computers and a few XP Home, Win98, Win95 > > and Win2000 computers. > > All we need is file sharing. > > > > Can Samba be setup so that all these computers can access a file share (F:\ > > or G:\) and run the program on the client pc? > > > > Yes of course. > > > What would be the minimum HW required for Samba server? > > This depends on what type of performance you need. You can run samba > on 2W arm based cpus if you want. > > John -- Mr. Craig Ham Technology Coordinator Westminster Schools of Augusta 3067 Wheeler Road Augusta, GA 30909 (706) 731-5260 x2314 Fax (706) 731-5274 -- John M. Drescher -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
