Re: [Samba] Auto-Create Directory
Ray Holtz wrote: José Ildefonso Camargo Tolosa worte: Yes, you can. It will use samba for session, not for auth (obey pam restrictions = Yes). I'm using it, on a samba PDC. Not sure If it will work with security=ads (I don't use w2k3, I use a samba PDC (I have even customers who are changing their w2k3 servers to samba, because of the CAL)). I appreciate the help, but that won't work for me. In the smb.conf(5) man file under 'obey pam restricitons (G)'... It says: "When Samba 3.0 is configured to enable PAM support (i.e. --with-pam), this parameter will control whether or not Samba should obey PAM's account and session management directives. () Note that Samba always ignores PAM for authentication in the case of encrypt passwords = yes." (only ignores authentication). It doesn't say anything about ADS, and I use it with encrypt passwords=yes. I'm not sure, maybe I'm wrong, I would like you to do the test, it works for me. Anyway, you have nothing to lose, put in the /etc/pam.d/samba: session requiredpam_mkhomedir.so skel=/etc/skel/ umask=0022 in my case it is in: /etc/pam.d/common-session , because I'm using Debian. Now my question: Why do you need Windows 2003 server? I have found that almost everything can be done with linux-based servers (just ask me anything). The only thing you would lose is the "kerberos" auth for the windows workstations (but it seem to be scheduled for samba-4 (I hope)) (and other things are only harder to get). I have found that ldap+pam+nfs may be an excelent option to use for unix workstations, I have even though about doing a script to be run from a pam module that rsync the user dir with the central server (in order to have "roaming" home dirs, without nfs). We are having a war at my college (UNET) in Venezuela to avoid using windows 2k3, and we have found that a point of weight are the CALs: you need a cal for either: Every user in your AD (Active Directory), Every workstation that would connect to the AD (this excludes authenticated web access, for let's say sharepoint portal, in wich case you need extra CALs for web access), or every *authenticated connection* that will go to ANY of your servers (yes, that mean you need a CAL even for web authenticated users, if they use AD to authenticate). That's why I'm working like mad to put together a "solution" that can do almost everything AD can offer, and I see that a large part of the work is already done, it is almost only a matter of "putting things together. Note that Samba always ignores PAM for authentication in the case of encrypt passwords = yes. The reason is that PAM modules cannot support the challenge/response authentication mechanism needed in the presence of SMB password encryption. Auth, not session, the mkhomedir is a session stage module. I need to authenticate windows 95,nt,2000,xp clients against the 2003AD to use their share, so 'security=ads' needs 'encrypt passwords=yes'. I wish that I could scrap the Windows2003 AD for a SAMBA/LDAP domain server. Unfortunatly I have neither the time nor knowledge to implement that right now. I am working as an intern at this school, and my internship is over in two weeks. Once again, thanks for the help, but that option won't work for me. Just try it, it is a matter of 10 minutes. Do the changes, create a new user, and login to a w2k workstation. Ray -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Auto-Create Directory
Ray Holtz wrote: I have a samba server set so that each user in a windows 2003 active directory can have their own personal, private share. I would like to know how to set up Samba so that their directory is created automatically, rather than me creating 1300 directories on the linux server. I cannot use pam_mkhomedir.so because 'security = ads' in smb.conf and 'encryption = yes' must be there. I thought about Yes, you can. It will use samba for session, not for auth (obey pam restrictions = Yes). I'm using it, on a samba PDC. Not sure If it will work with security=ads (I don't use w2k3, I use a samba PDC (I have even customers who are changing their w2k3 servers to samba, because of the CAL)). making a script to run in preexec everytime, but would that take up a lot of CPU cycles? This is for a highschool, so every hour many, many students will all be logging on at the same time. Is there another way to have samba create a home directory for a user automatically? Thanks, Ray -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Samba+LDAP - so close yet so far:) ...STILL NOTSOLVED
What does your ldap.conf (or pam_ldap.conf or libnss-ldap.conf) looks like? I assume It is something like this: nss_base_passwd dc=juwimm,dc=local?sub nss_base_shadow dc=juwimm,dc=local?sub nss_base_group ou=Groups,dc=juwimm,dc=local?one Wich, unless you have ldap for samba only, is not a very good idea. You should have something like: nss_base_passwd ou=Samba,dc=juwimm,dc=local?sub nss_base_shadow ou=Samba,dc=juwimm,dc=local?sub nss_base_group ou=Groups,dc=juwimm,dc=local?one and use: ou=users,ou=Samba,dc=juwimm,dc=local for your users. ou=machines,ou=Samba,dc=juwimm,dc=local for the computers. and put: ldap user suffix = ou=users,ou=Samba ldap machine suffix = ou=machines,ou=Samba in your smb.conf This way you can even have different samba PDCs in the same ldap, using different ou (let's say that you have 4 domains in your network (different network segments, maybe), then you can keep them independent one of the other, and still have a central user administration/storage). Or, off course, different services sharing the same ldap directory. Andre Helberg wrote: Hi, ldap admin dn = cn=root,dc=juwimm,dc=local ldap suffix = ou=juwidc01,dc=juwimm,dc=local ldap user suffix = ou=users ldap group suffix = ou=groups ldap machine suffix = ou=machines Works well with samba 3.0.2a on a suse 9.0 machine Is there anyone succes with place Users and Computers in different ou's ? regards reza -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Re: roaming profiles and samba
Hi! The only trouble you could have is if you are not using folder redirection. In that case, every user will be using a "local copy" of the profile, and if any two users modify one file at the same session (different workstations), I'm not sure what will happend, but certenly any of these changes will be lost (I pressume to be the changes made by the first user to logoff). Jim C. wrote: I do that all the time with no apparent trouble or corruption. I know that Samba uses the same locking mechanisms that NFS does. They live in the kernel I believe and that may be a clue. Just a theory but what normally happens when more than one program asks an OS for access to a file, it puts the writers to sleep and only allows one at a time access but lets the readers read what they want. I have a network comprised of a linux server (mandrake) running samba 3.0.4 as a PDC and clients all being windows xp. I am in the process of doing a practice run of roaming profiles and am currently stuck. What is the most common way to prevent two of the workstations from logging into the pdc and thus corrupting the roaming profile? Ive googled this till im blue in the face and am getting nowhere. I cant possibly be the only person whose attempted such :) Any help would be MUCH appreciated. Please forgive me if I have improperly posted this or broken some other ettiqute, this is my second post ever to such a list, so i apologise in advance for any mistakes. Mark -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Samba+LDAP - so close yet so far :) ...STILL NOT SOLVED
abebe lsslp wrote: I was having trouble sleeping last night, so I start going over your past e-mails. Do you remember you asking me that I need to make sure LDAP is authenticating system users? And I told you that it was. I was not completely lying, it authenticates 'testuser1' with no problem. However, 'administrator' is getting kicked out as soon as it logs in. Here is what it looks like: [EMAIL PROTECTED] root]# ssh [EMAIL PROTECTED] [EMAIL PROTECTED]'s password: Last login: Tue Jul 20 09:49:05 2004 from 192.168.1.17 Connection to 192.168.1.10 closed. [EMAIL PROTECTED] root]# Off course: loginShell: /bin/false It logins, then just die, because it have no shell. :) Here is part of 'slapd.log': +++ Jul 20 10:22:31 eaglex slapd[20508]: conn=7 op=2 SRCH attr=cn userPassword memberUid uniqueMember gidNumber Jul 20 10:22:31 eaglex slapd[20508]: conn=7 op=2 SEARCH RESULT tag=101 err=0 nentries=1 text= Jul 20 10:22:31 eaglex slapd[20508]: conn=7 fd=15 closed Jul 20 10:25:17 eaglex slapd[20508]: conn=4 op=2 SRCH base="dc=wbcoll,dc=edu" scope=2 filter="(&(objectClass=posixAccount)(uid=administrator))" Jul 20 10:25:17 eaglex slapd[20508]: conn=4 op=2 SRCH attr=uid userPassword uidNumber gidNumber cn homeDirectory loginShell gecos description objectClass Jul 20 10:25:17 eaglex slapd[20508]: conn=4 op=2 SEARCH RESULT tag=101 err=0 nentries=1 text= Jul 20 10:25:19 eaglex slapd[20508]: conn=8 fd=15 ACCEPT from IP=127.0.0.1:33263 (IP=0.0.0.0:389) Jul 20 10:25:19 eaglex slapd[20508]: conn=8 op=0 BIND dn="cn=Manager,dc=wbcoll,dc=edu" method=128 Jul 20 10:25:19 eaglex slapd[20508]: conn=8 op=0 BIND dn="cn=Manager,dc=wbcoll,dc=edu" mech=simple ssf=0 Jul 20 10:25:19 eaglex slapd[20508]: conn=8 op=0 RESULT tag=97 err=0 text= Jul 20 10:25:19 eaglex slapd[20508]: conn=8 op=1 SRCH base="dc=wbcoll,dc=edu" scope=2 filter="(uid=Administrator)" Jul 20 10:25:19 eaglex slapd[20508]: conn=8 op=1 SEARCH RESULT tag=101 err=0 nentries=1 text= Jul 20 10:25:19 eaglex slapd[20508]: conn=8 op=2 BIND anonymous mech=implicit ssf=0 Jul 20 10:25:19 eaglex slapd[20508]: conn=8 op=2 BIND dn="uid=Administrator,ou=Users,dc=wbcoll,dc=edu" method=128 Jul 20 10:25:19 eaglex slapd[20508]: conn=8 op=2 BIND dn="uid=Administrator,ou=Users,dc=wbcoll,dc=edu" mech=simple ssf=0 Jul 20 10:25:19 eaglex slapd[20508]: conn=8 op=2 RESULT tag=97 err=0 text= Jul 20 10:25:19 eaglex slapd[20508]: conn=8 op=3 BIND anonymous mech=implicit ssf=0 Jul 20 10:25:19 eaglex slapd[20508]: conn=8 op=3 BIND dn="cn=Manager,dc=wbcoll,dc=edu" method=128 Jul 20 10:25:19 eaglex slapd[20508]: conn=8 op=3 BIND dn="cn=Manager,dc=wbcoll,dc=edu" mech=simple ssf=0 Jul 20 10:25:19 eaglex slapd[20508]: conn=8 op=3 RESULT tag=97 err=0 text= Jul 20 10:25:19 eaglex slapd[20508]: conn=9 fd=18 ACCEPT from IP=127.0.0.1:33264 (IP=0.0.0.0:389) Jul 20 10:25:19 eaglex slapd[20508]: conn=9 op=0 BIND dn="cn=Manager,dc=wbcoll,dc=edu" method=128 Jul 20 10:25:19 eaglex slapd[20508]: conn=9 op=0 BIND dn="cn=Manager,dc=wbcoll,dc=edu" mech=simple ssf=0 Jul 20 10:25:19 eaglex slapd[20508]: conn=9 op=0 RESULT tag=97 err=0 text= Jul 20 10:25:19 eaglex slapd[20508]: deferring operation Jul 20 10:25:19 eaglex slapd[20508]: conn=9 op=1 SRCH base="dc=wbcoll,dc=edu" scope=2 filter="(&(objectClass=shadowAccount)(uid=Administrator))" Jul 20 10:25:19 eaglex slapd[20508]: conn=9 op=1 SRCH attr=uid userPassword shadowLastChange shadowMax shadowMin shadowWarning shadowInactive shadowExpire Jul 20 10:25:19 eaglex slapd[20508]: conn=9 op=1 SEARCH RESULT tag=101 err=0 nentries=1 text= Jul 20 10:25:20 eaglex slapd[20508]: conn=8 op=4 UNBIND Jul 20 10:25:20 eaglex slapd[20508]: conn=8 fd=15 closed Jul 20 10:25:20 eaglex slapd[20508]: conn=10 fd=15 ACCEPT from IP=127.0.0.1:33265 (IP=0.0.0.0:389) Jul 20 10:25:20 eaglex slapd[20508]: conn=9 fd=18 closed Jul 20 10:25:20 eaglex slapd[20508]: conn=10 op=0 BIND dn="cn=Manager,dc=wbcoll,dc=edu" method=128 Jul 20 10:25:20 eaglex slapd[20508]: conn=10 op=0 BIND dn="cn=Manager,dc=wbcoll,dc=edu" mech=simple ssf=0 Jul 20 10:25:20 eaglex slapd[20508]: conn=10 op=0 RESULT tag=97 err=0 text= Jul 20 10:25:20 eaglex slapd[20508]: conn=10 op=1 SRCH base="dc=wbcoll,dc=edu" scope=2 filter="(uid=Administrator)" Jul 20 10:25:20 eaglex slapd[20508]: conn=10 op=1 SEARCH RESULT tag=101 err=0 nentries=1 text= Jul 20 10:25:20 eaglex slapd[20508]: conn=10 op=2 SRCH base="ou=Groups,dc=wbcoll,dc=edu" scope=1 filter="(&(objectClass=posixGroup)(|(memberUid=Administrator)(uniqueMember=uid=administrator,ou=users,dc=wbcoll,dc=edu)))" Jul 20 10:25:20 eaglex slapd[20508]: conn=10 op=2 SRCH attr=cn userPassword memberUid uniqueMember gidNumber Jul 20 10:25:20 eaglex slapd[20508]: conn=10 op=2 SEARCH RESULT tag=101 err=0 nentries=1 text= Jul 20 10:25:20 eaglex slapd[20508]: conn=10 fd=15 closed +++ Is it alright if I delete the files in '/var/lib/ldap/*' before I use 'slapindex'? When I do the 'ldapsearch' command, machin
Re: [Samba] Samba+LDAP - so close yet so far :) ...STILL NOT SOLVED
Mohammad Reza wrote: Dear lists... But this still un-solved the real problem to join w2k to samba3-ldap . I'm here with the same situation. I even switch my distro to SuSe with same result, still cant join domain. Please give us hint how to solve or debug this problem. Sorry, I looked at the thread, and I don't have info about your problem with w2k. According to what I read at the link posted by Abebe, I think it may be a problem with the unix system not "seeing" the machine account created automatically by samba (ie, the smbldap-useradd script). You should be able to do a "su - winxp\$" as root, and it should log in: obelix:~# su - virtualxp\$ No directory, logging in with HOME=/ Off course, it will not give you a prompt as virtualxp\$, because the shell is /bin/false, but If the user didn't existed, it would answered: Unkown ID, or something like that. regards reza -Original Message- From: Craig White [mailto:[EMAIL PROTECTED] Sent: Tue 7/20/2004 9:48 AM To: [EMAIL PROTECTED] Cc: Subject:Re: [Samba] Samba+LDAP - so close yet so far :) ...STILL NOT SOLVED On Mon, 2004-07-19 at 19:34, José Ildefonso Camargo Tolosa wrote: http://samba.idealx.org/smbldap-howto.fr.html as you recommended. I have one big question, which one do I put in '/etc/ldap.conf' nss_base_passwd dc=wbcoll,dc=edu?one nss_base_shadow dc=wbcoll,dc=edu?one nss_base_group ou=Groups,dc=wbcoll,dc=edu?one or nss_base_passwdou=Users,dc=wbcoll,dc=edu?one nss_base_shadowou=Users,dc=wbcoll,dc=edu?one nss_base_group ou=Groups,dc=wbcoll,dc=edu?one Neither, use this: nss_base_passwd dc=wbcoll,dc=edu?sub nss_base_shadow dc=wbcoll,dc=edu?sub nss_base_group ou=Groups,dc=wbcoll,dc=edu?one Look at the sub, it tells the system to descend to all the sub-objects it may have. --- It is pertinent to consider that this suggestion waives any efficiency for ease of use as it will tell all user lookups to search the entire LDAP tree. I already told him to use his second choice as that is most efficient. I recognize that your option would permit the option of trying to use a separate organizational unit for Computers but this guy is endlessly confused, and simple is clearly better for his purposes, without considering the impact of excessive searching of the LDAP db. Craig -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Samba+LDAP - so close yet so far :) ...STILL NOT SOLVED
Craig White wrote: On Mon, 2004-07-19 at 19:34, Josà Ildefonso Camargo Tolosa wrote: http://samba.idealx.org/smbldap-howto.fr.html as you recommended. I have one big question, which one do I put in '/etc/ldap.conf' nss_base_passwd dc=wbcoll,dc=edu?one nss_base_shadow dc=wbcoll,dc=edu?one nss_base_group ou=Groups,dc=wbcoll,dc=edu?one or nss_base_passwdou=Users,dc=wbcoll,dc=edu?one nss_base_shadowou=Users,dc=wbcoll,dc=edu?one nss_base_group ou=Groups,dc=wbcoll,dc=edu?one Neither, use this: nss_base_passwd dc=wbcoll,dc=edu?sub nss_base_shadow dc=wbcoll,dc=edu?sub nss_base_group ou=Groups,dc=wbcoll,dc=edu?one Look at the sub, it tells the system to descend to all the sub-objects it may have. --- It is pertinent to consider that this suggestion waives any efficiency for ease of use as it will tell all user lookups to search the entire LDAP tree. In fact, you should do something like this (that's what I did, if you read the thread): nss_base_passwd ou=Accounts,dc=wbcoll,dc=edu?sub nss_base_shadow ou=Accounts,dc=wbcoll,dc=edu?sub nss_base_group ou=Groups,dc=wbcoll,dc=edu?one And under ou=Accounts,dc=wbcoll,dc=edu, you create another ou: ou=People,ou=Accounts,dc=wbcoll,dc=edu here you place user accounts, and put this in the smb.conf for users ou=Computers,ou=Accounts,dc=wbcoll,dc=edu and here you place computers accounts. Off course, you can call Accounts whatever you want to call it: samba, domains, I don't know. I already told him to use his second choice as that is most efficient. I recognize that your option would permit the option of trying to use a separate organizational unit for Computers but this guy is endlessly confused, and simple is clearly better for his purposes, without considering the impact of excessive searching of the LDAP db. If you only have the ldap for samba, there will not be any problem. It will also allow you to create others ou to futher organize your users (you can't ask someone to have, let's say, 900 users in just one ou). This would also allow you to delegate the administration of a group of users to another person, without giving him access to the whole directory. I was endlessly confused myself when I started with this, I read many different howtos, all of them saying different things. And I have been a samba user for more than two years, I just started to use it with ldap about five months ago. Craig Ildefonso Camargo -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Samba+LDAP - so close yet so far :) ...STILL NOT SOLVED
Hi! abebe lsslp wrote: Hey Thanks for the help. I think I am about to take you on your offer. since you said to ask if I have any question, here I am. Ok. I usually do the installation from the top of my head, but I followed It's always better to never trust anything one read, just test it and try to figureout how it really works. I used both, the idealx howto and the samba-3 by example. Well, I also used some info from the samba-3 howto. http://samba.idealx.org/smbldap-howto.fr.html as you recommended. I have one big question, which one do I put in '/etc/ldap.conf' nss_base_passwd dc=wbcoll,dc=edu?one nss_base_shadow dc=wbcoll,dc=edu?one nss_base_group ou=Groups,dc=wbcoll,dc=edu?one or nss_base_passwdou=Users,dc=wbcoll,dc=edu?one nss_base_shadowou=Users,dc=wbcoll,dc=edu?one nss_base_group ou=Groups,dc=wbcoll,dc=edu?one Neither, use this: nss_base_passwd dc=wbcoll,dc=edu?sub nss_base_shadow dc=wbcoll,dc=edu?sub nss_base_group ou=Groups,dc=wbcoll,dc=edu?one Look at the sub, it tells the system to descend to all the sub-objects it may have. The idealx howto was not really clear on this one. I have posted the problems I have and other detail installation steps and configuration files at http://150.208.105.24/smbldap-pdc/smbldap-pdc.html. The file are one directory below at http://150.208.105.24/smbldap-pdc/ I am not really using "ldap ssl = start tls" yet. I will get to that part after I get the rest of the stuff working. Thanks again, Ambex __ Do you Yahoo!? Vote for the stars of Yahoo!'s next ad campaign! http://advision.webevents.yahoo.com/yahoo/votelifeengine/ -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Samba+LDAP - so close yet so far :) ...STILL NOT SOLVED
Hi! Try this: In /etc/ldap.conf: scope sub (uncomment it). In: nss_base_passwd ou=Users,dc=wbcoll,dc=edu?one nss_base_shadow ou=Users,dc=wbcoll,dc=edu?one nss_base_group ou=Groups,dc=wbcoll,dc=edu?one Try: nss_base_passwd dc=wbcoll,dc=edu?sub nss_base_shadow dc=wbcoll,dc=edu?sub nss_base_group ou=Groups,dc=wbcoll,dc=edu?one Not sure right now, but I have a /etc/libnss-ldap.conf, I made the same modifications to it. With this you can keep your computers in another ou. I did something different: nss_base_passwd ou=Accounts,dc=merkurio,dc=int?sub nss_base_shadow ou=Accounts,dc=merkurio,dc=int?sub nss_base_group ou=Groups,dc=merkurio,dc=int?one And under Accounts (ou=People,ou=Accounts,) I created the users, and under ou=Computers,ou=Accounts, I pointed to the machines suffix in the smb.conf (my smb.conf), but it is some tricky to get it work with the smbldap-populate. [global] workgroup = MERKURIO.INT interfaces = eth0, lo bind interfaces only = Yes min passwd length = 7 passdb backend = ldapsam:ldap://ldap.merkurio.int client NTLMv2 auth = Yes client lanman auth = No client plaintext auth = No min protocol = LANMAN2 time server = Yes server signing = auto add machine script = /usr/local/sbin/smbldap-useradd -w "%u" domain logons = Yes os level = 40 preferred master = Yes domain master = Yes ldap suffix = dc=merkurio,dc=int ldap machine suffix = ou=Computers,ou=Accounts ldap user suffix = ou=People,ou=Accounts ldap group suffix = ou=Groups ldap idmap suffix = ou=Idmap ldap admin dn = cn=admin,dc=merkurio,dc=int ldap ssl = start tls ldap passwd sync = Yes ldap delete dn = Yes [netlogon] path = /var/lib/samba/netlogon browseable = No [homes] read only = No browseable = No [cosa] path = /home/ftp/ [profile] path = /samba/profile read only = No profile acls = Yes browseable = No The tls requires that the cert is correctly emited (ie, host name should match the cert's cn). I hasn't tested this config completly (I need to test the password change from win workstations). Hope this helped, Sincerely, Ildefonso Camargo Craig White wrote: On Fri, 2004-07-16 at 13:39, abebe lsslp wrote: Hey Craig, Here is what's happening. I've got nothing, but headache from looking at log level 10, but finally I finished going over it. For those of you who have not been following, check http://150.208.105.24/smbldap-pdc.html smbd/process.c:timeout_processing(1332) timeout_processing: End of file from client (client has disconnected). You are attempting to join WinXP to domain, are asked for the name/password/domain of a user who has sufficient privileges to add a machine to the domain and it fails to finish? The machine is indeed added to LDAP - that's all I can figure out from your email. First off - my understanding is that Machine accounts should still be located in the People subtree and not in the Computers subtree because subsequent searches will not locate it there. If this has been fixed, I'm sure someone will correct me. I have tried it your way as well. # 1 Changeed the Entry in '/etc/ldap.conf' to nss_base_passwd ou=People,dc=wbcoll,dc=edu?one nss_base_shadow ou=People,dc=wbcoll,dc=edu?one nss_base_group ou=Groups,dc=wbcoll,dc=edu?one #2 changed the entry in '/etc/samba/smb.conf' file, I changed ldap machine suffix = ou=People #3 and finally, the entry in '/etc/smbldap-tools/smbldap.conf' # Ex: computersdn="ou=Computers,dc=IDEALX,dc=ORG" computersdn="ou=People,dc=wbcoll,dc=edu" However, I am sure the "ou =Computers" entry works. A lot of documentations, including idealx.org would have corrected their documentations if it wasn't so. Secondly - ldap log? I couldn't find any hint that leads me to believe the ldap doesn't work, but you might see something I don't. you will find the whole 'slapd.log' file here: http://150.208.105.24/smbldap-pdc/. (there are also log files for the xp machine. ('winxp.log.html' is log level 10 and 'winxp_log.html' is log level 3). Log level 10 doesn't really tell me anything log level 3 doesn't. SID's don't match... dn: uid=Administrator,ou=Users,dc=wbcoll,dc=edu sambaPrimaryGroupSID: S-1-5-21-952094410-1508517273-1204454084-512 sambaSID: S-1-5-21-952094410-1508517273-1204454084-2996 pdbedit -Lv testuser1 User SID: S-1-5-21-1414736517-1990894286-2385622597-3000 Primary Group SID:S-1-5-21-1414736517-1990894286-2385622597-513 Who knows which SID is in smbldap_conf and which SID is in dn=SambaDomainName,dc=wbcoll,dc=edu This should be one of the first things you check. Also - just for a point of reference (not that what I do is at all correct or even recommended by the many people that know way more than I do), I set the primary
Re: [Samba] Samba+LDAP - so close yet so far :) ...STILL NOT SOLVED
Hi. I think you are having a lot of trouble. Take a look at: http://samba.idealx.org/smbldap-howto.fr.html (it is in english). And: http://us1.samba.org/samba/docs/Samba-Guide.pdf (This is samba-3 by example, use the pdf, the html is missing some images). Look at chapter 6 and 7 (very good, but complement it with the url from idealx). There are only a couple of minor details in samba-3 by example, otherwise it is an EXCELENT book (I would buy it, if I had the money :( ). If you have any more questions, just ask. c-ya! Ildefonso Camargo [EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED] Craig White wrote: On Fri, 2004-07-16 at 13:39, abebe lsslp wrote: Hey Craig, Here is what's happening. I've got nothing, but headache from looking at log level 10, but finally I finished going over it. For those of you who have not been following, check http://150.208.105.24/smbldap-pdc.html smbd/process.c:timeout_processing(1332) timeout_processing: End of file from client (client has disconnected). You are attempting to join WinXP to domain, are asked for the name/password/domain of a user who has sufficient privileges to add a machine to the domain and it fails to finish? The machine is indeed added to LDAP - that's all I can figure out from your email. First off - my understanding is that Machine accounts should still be located in the People subtree and not in the Computers subtree because subsequent searches will not locate it there. If this has been fixed, I'm sure someone will correct me. I have tried it your way as well. # 1 Changeed the Entry in '/etc/ldap.conf' to nss_base_passwd ou=People,dc=wbcoll,dc=edu?one nss_base_shadow ou=People,dc=wbcoll,dc=edu?one nss_base_group ou=Groups,dc=wbcoll,dc=edu?one #2 changed the entry in '/etc/samba/smb.conf' file, I changed ldap machine suffix = ou=People #3 and finally, the entry in '/etc/smbldap-tools/smbldap.conf' # Ex: computersdn="ou=Computers,dc=IDEALX,dc=ORG" computersdn="ou=People,dc=wbcoll,dc=edu" However, I am sure the "ou =Computers" entry works. A lot of documentations, including idealx.org would have corrected their documentations if it wasn't so. Secondly - ldap log? I couldn't find any hint that leads me to believe the ldap doesn't work, but you might see something I don't. you will find the whole 'slapd.log' file here: http://150.208.105.24/smbldap-pdc/. (there are also log files for the xp machine. ('winxp.log.html' is log level 10 and 'winxp_log.html' is log level 3). Log level 10 doesn't really tell me anything log level 3 doesn't. SID's don't match... dn: uid=Administrator,ou=Users,dc=wbcoll,dc=edu sambaPrimaryGroupSID: S-1-5-21-952094410-1508517273-1204454084-512 sambaSID: S-1-5-21-952094410-1508517273-1204454084-2996 pdbedit -Lv testuser1 User SID: S-1-5-21-1414736517-1990894286-2385622597-3000 Primary Group SID:S-1-5-21-1414736517-1990894286-2385622597-513 Who knows which SID is in smbldap_conf and which SID is in dn=SambaDomainName,dc=wbcoll,dc=edu This should be one of the first things you check. Also - just for a point of reference (not that what I do is at all correct or even recommended by the many people that know way more than I do), I set the primary posix gid for all users to a posix labeled group and my /etc/samba/smbusers looks like this: # cat /etc/samba/smbusers # Unix_name = SMB_name1 SMB_name2 ... root = Administrator administrator admin nobody = guest pcguest smbguest I hope this helps. Craig -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] best filesystem choice for samba
Hi! Malcolm Baldridge wrote: Quoting Mark Lidstone <[EMAIL PROTECTED]>: ARGH! I'm wondering if airing thoughts about VFAT performance publicly was a good idea. I doubt VFAT's case insensitivity would be worth dealing with its terrible linear-search-time directory lookup methods. The reason I suggested reiserfs (or ext3 with directory hashing) is to reduce the high costs of locating a directory entry within a directory of many (> 10,000) files. msdos/vfat does not offer superior directory lookup times, and from my limited testing, neither does NTFS. ext2/ext3 in stock configuration is also slow, though it appears very recent kernels/ext2fsutils offer an FFS-like "directory hashing" option which needs a format-time decision to be made upon setting up the filesystem. You can enable it with tune2fs: obelix:~# tune2fs -O dir_index /dev/hda3 See man tune2fs for more help. <> I have no knowledge about XFS or JFS and how they compare. I know both are "industrial" filesystems brought down from the Ivory Towers onto the pipsqueak platforms. As for "horror stories", well, each filesystem has had their respective tales of misery and woe... ext3 had shocking and fatal dataloss bugs in the adolescent versions of 2.4.x., and some RAID + reiserfs configs saw some real wowsers as well. From bug reports/changelogs, I've seen similar tales of woe for XFS and JFS if you trigger just the right combination of things. >From my own experiences, things have matured and stabilised with reiserfs and ext3 to the point where using either is fine for my purposes. I had very bad experience with reiser: 4 servers installed with reiser, 4 server died due to filesystem corruption in a time that varied from two to six months (the last one had UPS, the others not). I reinstalled them with ext3: almost a year since I reinstalled the first: no problems. The decision comes down to: 1) Do you need quotas? If yes, you cannot use reiserfs. 2) Do you need ACLs? If yes, only ext2/ext3 has well-tested seamless support, though I think there are wildcat patches to bring this to XFS (and maybe others) as well. I'm not sure about the stability of this. ext3 used with -O dir_index *MAY* provide better performance for large directory list lookups, but I've never tested it. It requires Linux 2.6 for starters for the kernel-side stuff to actually support it properly. grepping the linux 2.4 source shows no mention of hashing b-trees or dir_index options for ext[23]. This is a RECENT addition to ext3, and I don't think the support actually exists within 2.4 yet. I've seen mention of "special backported patches" but this smells scarier to me than using filesystems which have been seamlessly integrated for over a year or so now. So in terms of viable performance-driven alternatives, I see it being reiserfs, xfs, or jfs. In my experience: the fourth server (the one with the ups): Dual XEON 2Gb RAM, 3x36Gb scsi disk in raid-5 array smart array 5300, running squid: it was slower then (with reiser), than now (with ext3). I have only saw reiser to be faster when I delete a LARGE file (>1Gb). I'm going to test ext3 with the dir_index option. vfat/dos isn't faster, even with case insensitive semantics, for directory sizes of 20,000 or more. I agree. Ildefonso [EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED] -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Wishlist for v4.0 Integration / Setup of samba.
Hi! Jacob A. Alifrangis wrote: Is there maybe a way to consolidate (At the developer level) all of the tools and methods into one concise list. samba is not really tightly integrated with the OS, Thanks God. This allows it to be compiled on almost any *nix flavor. Is there maybe a way to re-organise the way samba works? maybe to make it completely emulate the way it works on the windows command line? I don't like the windows's net command, nor the route, nor the "tracert" (come on, who wrote these?), nor the ping (yes, not even the ping). If somebody wants a "windows compatible" net command, write a wrap script. (please, read on, I just don't like the feeling of using the same thing on windows and linux). for example make everything integrated into the net command. net use (file system mounting) net passwd net start,stop,restart [service] would trigger the /etc/rc.d/[service] script. net print [cups->samba] so on and so forth. there is an easier way. We should also maybe invest some time into making a better (wizard) routine for configuring samba, joining it to the domain, bringing it up as an ads/pdc/bdc machine. Improve the swat wizard, sounds cool. Altough I only used it once, I think that any newbe would be thankful. There should also be a way to configure ldap and samba to work together, this manual config-shit is useless. I like the "manual config-shit", and it is very usefull (it works very, very well), I can use whatever ldap server I want, but there should be an option to do it "automatically". But, you should be able to do it by hand still (that is exactly what I like of the open source world, you can "adapt" things to your taste, in case you don't like them). Aditonally, samba can be integrated with almost any ldap I know. In order to make it "automagic", would be necessary to choose one ldap server to support, the others would still needed to be configured by hand (this is due to the different ways of installing schemas of each one) A good method might be to detect the current network setup and make the appropriate changes and settings. There should also be a net share command to quickly export trees from the commandline. the tool should work on the commandline first, then X. not all servers have an X server running. Well, hope I could help and bring a little insight into the group. -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] What can I lose if I use ldap compatibility with samba 2 schema?
Sorry, I answer myself: I don't have to do it: There is a patch for supporting samba 3 in the Directory Administrator's place at sourceforge. José Ildefonso Camargo Tolosa wrote: Hi! I'm trying to use Directory Administrator from http://diradmin.open-it.org/files.php, but It only work with the old sambaAccount schema, so, My question would be: What is *really* new on samba 3 with the use of sambaSamAccount?, do I lose something if I use the compat mode? Thanks in advance for any answer, sincerely, Ildefonso Camargo [EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED] -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] What can I lose if I use ldap compatibility with samba 2 schema?
Hi! I'm trying to use Directory Administrator from http://diradmin.open-it.org/files.php, but It only work with the old sambaAccount schema, so, My question would be: What is *really* new on samba 3 with the use of sambaSamAccount?, do I lose something if I use the compat mode? Thanks in advance for any answer, sincerely, Ildefonso Camargo [EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED] -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Smb PDC cracks with ldap, without ok
Hi! Miguel Casas-Sánchez wrote: Hi everybody I have a puzzling situation, I am trying to set up a PDC domain controller, Suse 9.1 with Samba 3.0.4 (ok, suse comes with 3.0.2 but I have tried almost everything XD ), autenticating against ldap 2.2.6 (original suse); also with the smbldap-tools. The situation is, everything works fine without ldap, that is, smbpasswd backend, I did create the directories for profiles and I got away with it, roaming and so on. The thing is when I connect ldap, ldapsamb backend, the first logon process for machines goes ok, but when trying to log into the domain as a user, the computer hangs up or does a reset. Watching the slapd messages, the authentication is correct, so it seems like a problem when trying to download the profile. It seems quite a trivial matter but a little bit annoying. Take a read at Samba-Guide.pdf (it is in the docs dir in the source distro, or in the samba web page). I read somewhere that when it takes too long to load the profile, the windows machine could produce a "blue screen" wich, in XP in its default config will just reset. I'm going a long way with this problem, so anybody mind to help me? thanks in advance. -- Miguel Casas-Sánchez FDMV Lübeck m.casas_at_falk-meddv.de -- -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] [EXPERIENCES] with OpenLDAP and Samba and Redundancy ???
Ok, let me see If I can help here: Let me see: Your clients are updating data on the slave ldap server?, Ok, you should not allow that (unless you try the "experimental" multi-master replication code, wich can fail). You should use other ldap user, like this: cn=adminmaster,dc=cosa,dc=int Wich have write permitions to the master, but read-only access on slaves (by using different access statements in the master and the slave). I use something like this in the master: access to * by dn="cn=ldapadmin,dc=merkurio,dc=int" write by * read And the updatedn would be the rootdn of the slave (so, it has write access to the slave). Ok, hope this can help, Sincerely, Ildefonso Camargo [EMAIL PROTECTED] McKeever Chris wrote: On Fri, 18 Jun 2004 15:38 , Michael Gasch <[EMAIL PROTECTED]> sent: Isn't the slave ldap directory suppose to be only read only? if it's readonly, slurpd can't update the slave (i've tested it, possibly i missed something ?) the problem is: machines regularly change their passwords and if these changes are not done on the master, they're lost, if master comes back -> clients can't logon anymore and so on maybe I am missing something here - but why does your master ldap fail so often? I agree with the other poster, the slave LDAPS should be (and I would almost move to _need_ to be) read only .. I am also curious as to why you have a samba server contacting either the PDC/BDC ldap servers when it could just be running a replicated LDAP DB itself...which is how all the docs say to do it - maybe this is something new with 3.xx - not sure, but it alwyas seemed more logical to have all your samba boxes be thier own DC in terms of login/user information If your master does fail - and I mean dead, need to rebuild, etc..I would make one of the slaves the write/master get the original MASTER back on line, but not in production until you can do a slapcat of the LDAP to it, change the everything back to what it needs to be, and have your system running again but like I said, maybe I am missing something I'm having some troubles getting the failover to work what problems are you talking about? these are my config files (/etc/ldap.conf for all machines not included but also very important in case of fail-over) ... removed ... Jason C. Waters schrieb: Isn't the slave ldap directory suppose to be only read only? So when the master is down the users can't change their passwords, but everything else should work. What do you smb.conf and slapd.conf files look like for the master and the slave? I'm having some troubles getting the failover to work, so I wouldn't mind a peek. Thanks Jason Michael Gasch wrote: hi i'm looking for hints/experiences concering samba v3, openldap AND redundancy my setup is: Samba PDC with LDAP Master Samba BDC with LDAP Slave Samba Member Server, contacting first PDC, then BDC if the first fails if all instances are working properly, everything is okay replication is also fine (from Master -> Slave) and now imagine: LDAP Master dies all smbd are contacting LDAP Slave and make their changes in the Slave directory cause replication only works from Master->Slave, if Master comes up again, i have inconsistency in my LDAP Backends e.g. a machine changes its machine password in Slave directory and can't logon anymore cause the password change isn't replicated on Master we also tried to setup slurpd (LDAP replication) on both LDAP Servers - if both are up, everything is okay, if one is down, changes are made in one directory, samba tells me it fails (e.g. changing passwords), allthough it changes the attributes and so on so the problem is: if Slave dies, everything should go on working, because PDC/BDC use at first LDAP Master if slave comes up, replication is done properly but if Master dies, i get an inconsistent domain how do you get redundancy in your LDAP backend? PDC/BDC redundancy works well, the single-point-of-failure is LDAP thx --- Chris McKeever If you want to reply directly to me, please use cgmckeever--at--prupref.com http://www.prupref.com";>Prudentialhttp://www.prupref.com";>Chicago Real Estate Prudential Preferred Properties www.prupref.com Success Driven By Results Results Driven By Commitment Commitment Driven By Integrity We Are Prudential Preferred Properties -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] Detail on Samba 3 By Exmaple (comments).
Hi! I have been reading the Samba 3 by example avaible on the web site (samba-guide.pdf), I think it is very good, but have a question: - In section 6.3.5 (page 150, numerated), there is a note wich says that the computers account must be inside the People container due to an error in samba. Is this true?, or can it be due to the config of the nss-ldap and the pam-ldap modules wich is on the book?: () > nss_base_passwd ou=People,dc=abmas,dc=biz?one > nss_base_shadow ou=People,dc=abmas,dc=biz?one > nss_base_group ou=Groups,dc=abmas,dc=biz?one () The original config look for user account (including the computers ones) only on the container People, so, when the computers accounts are created, the nss and pam doesn't look at them, and samba would fail. I think the two first should be: nss_base_passwd dc=abmas,dc=biz?sub nss_base_shadow dc=abmas,dc=biz?sub Or, if you don't want it to look to the ou=Groups when looking for users, you can create another ou=Accounts with two "sub ous": ou=People and ou=Computers, and the entries would look like: nss_base_passwd ou=Accounts,dc=abmas,dc=biz?sub nss_base_shadow ou=Accounts,dc=abmas,dc=biz?sub Not sure, but I'm using it this way in my computer, and it works just fine. I'm using samba 3.0.4, but it seems that on the 3.0.2a it worked this way too. Thanks once again for writing this excelent book, and thanks in advance for any comments on this, Sincerely, Ildefonso Camargo [EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED] -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] PAC implementation, under "open" license.
Not sure, I'm reopening an OLD thread here (sorry). I need some answers, looking somewhere I found this: http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnkerb/html/MSDN_PAC.asp I'm not sure, I just gave it a brieft read. Can't this be used to include PAC data on a kerberos ticket in order to use the kerberos autentication on win2k/xp? I know that it also requires some things on the ldap server, but This license says: "© 2002 Microsoft Corporation. All rights reserved. Microsoft grants you a perpetual, nonexclusive, royalty-free, world-wide right and license under any Microsoft copyrights in this specification to copy, publish and distribute this specification, and to implement this specification in your products." (...) What do you think? Ildefonso Camargo [EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED] -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] OpenLDAP,heimdal kerberos,sasl, wich order?
Gémes Géza wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 If you have no *NIX clients, then you couldn't yet get any serious benefit from using Kerberos for Windows clients. So in this case I would suggest to build OpenSSL, OpenLDAP, and then Samba. Configure a certificate authority, if you don't want to use a commercially available one. Create certificates for your OpenLDAP server. Configure OpenLDAP. Configure nss_ldap and pam_ldap, to use TLS or SSL connections. Configure Samba, to connect using TLS or SSL to your LDAP server. In this way you can achieve the maximum security from the ldap+samba setup. Cool. I'll try that one to make it start, and have something to begin working with. I have *nix clients. See, what I mean to do is the following (not sure if it can work): + Install a kerberos client on the windows workstations (somebody told me that the win2k and up already have one (probably a non standard one)) and, off course, on the *nix workstations. + Make people autenticate to a KDC. + Using the kerberos ticket, the user should be able to access his/her folders on the samba server, without having to log into the samba again. + The user should be able to login into her/his mail (a pop/imap server) without having to put his/her password again (this one I already know it works). + Be able to use ldap to "centralize" the users (maybe the ldap as backend to kerberos). + Off course the profiles of mozilla and others would go into the server, thus creating "roaming" profiles (this is a cosmetic one, first I need the thing working). I'm not sure on how to make this, I have several options, but not sure if it can be done (never seen something like this on the docs): 1. Make samba a kerberos service, so that samba autenticate to the users using the kerberos mechanism: This implies this order: samba -> kerberos 5 -> ldap (can this actually be done?). (this reads: samba asks kerberos, and kerberos asks ldap). workstation -> kerberos 5 -> ldap (this is what would happend on the client side). In this one, I'm not sure how the log-in would work, I think that the workstations will not use a "domain", and hence would not use the autentication methos provided by samba. 2. The option I have seen in many docs: samba -> ldap -> sasl -> kerberos (not sure how this one works, I guess it is somthing like the ldap is a kerberos service, and users autenticate to samba using the directory, but they doesn't use the kerberos for autentication, this would mean that the SSO (single sign on) would no work?). Any docs, any help is welcome, Thanks for the fast answer, and once again, thanks in advance for any help on this, Sincerely, Ildefonso Camargo [EMAIL PROTECTED] [EMAIL PROTECTED] -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] OpenLDAP,heimdal kerberos,sasl, wich order?
Hi! I have been reading for about two weeks (maybe I'm reading on the wrong places). I have found as many documents as one could expect describind how to build a LDAPv3 server, or how to build samba with ldap. This far, I have failed, and have a BIG confution in the order in wich the things should go: In one document, they recommend this: samba -> ldap -> sasl -> kerberos (so, the passwords gets stored in the kerberos database, at least that's what they says, but. does the samba schema do this in fact? does the samba passwords will be kept in the kerberos database?, or it just store the passwords in the ldap's database). In other (simplier): samba -> ldap and: kerberos -> ldap (thus, storing the kerberos passwords in the ldap (duh...)). All that I'm trying to do is to get a PDC with a directory service, but I need it to be secure (that's why I'm bothering with kerberos). Anyway, I would like to know: in wich order should I build the thing?: Build orders: 1. kerberos, next sasl, next ldap, next samba (configured for samba -> ldap -> sasl -> kerberos). 2. ldap, next samba (just samba -> ldap, without kerberos password storing). Also, If I use the option 1, should the windows clients use a kerberos client?, or they just login as usual. Has anybody tested something like this? My system: Hardware: + Athlon XP 1500+, 512Mb RAM (133). Software: + Slackware 9.1 (with kernel 2.6.5), and most recent upgrades of all packages. + OpenLDAP 2.2.8 + kerberos: MIT kerberos 1.3.2 (read somewhere that it has thread issues, I'm thinking to move to heimdal, any sujestions?), heimdal 0.6.1. + samba 3.0.2a + cyrus sasl 2.1.18 + berkley db 4.2.52 + open ssl 0.9.7d. Thanks in advance for your help, Sincerely, Ildefonso Camargo [EMAIL PROTECTED] -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba