Re: [Samba] Samba + LDAP PDC on Gentoo - UPDATE
Kevin, I have this up, running and in production. Please e-mail me off list on Monday, and I will work with you to figure out the hold up. =) Of course, you can try me this weekend as well. thanks, Joshua signature.asc Description: OpenPGP digital signature -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] XP Can't Join Domain
Daniel R. Meigs wrote: Thanks for your reply. The problem was having the computers in ou=Computers. I put them in ou=People and the problem was solved. --Dan Daniel: I deleted the following options from the smb.conf #ldap user suffix = ou=People #ldap machine suffix = ou=Computers But I left the options set in my smbldap.conf. usersdn=ou=Users,dc=mydc,dc=com computersdn=ou=Computers,dc=mydc,dc=com I set my nss_ldap as such: nss_base_passwd dc=mydc,dc=com?sub nss_base_shadow dc=mydc,dc=com?sub --- The end result is some extra sub queries - which is ok for me. I also get the benefit of having the logical separation between the Users and Computers. I really like that. I am still limited by uid names, and I can think of a few other unsavory situations. However, I do like it that way and it works very nicely. I am glad you got yours going. thanks, Joshua signature.asc Description: OpenPGP digital signature -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] Restricting ACL Modification?
Howdy Everyone, Is there anyway to restrict _who_ has the ability to modify ACLs for a share? I have a number of users with poor auditory comprehension skills. Hence, numerous stupid modifications to permissions rather than working with me to adjust group membership. Is there anyway to restrict the ability of users to change the ACLs? thanks, Joshua -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Samba 3.0.3 on FC2: windows machine cannot join domain
Tony Fugere wrote:
I'm using Samba 3.0.3 on Fedora Core 2 with OpenLDAP 2.1.29 for a
backend. I'm getting to typical The user name could not be found.
error upon trying to join a Windows box. I've gone through every digest
on lists.samba.org and other sites and nothing has worked yet. Any
suggestions:
Here's what I've done so far:
1. Installed everything via RPMS:
[EMAIL PROTECTED] root]# rpm -qa | grep openldap
openldap-2.1.29-1
openldap-clients-2.1.29-1
openldap-servers-2.1.29-1
openldap-devel-2.1.29-1
[EMAIL PROTECTED] root]# rpm -qa | grep samba
samba-3.0.3-5
samba-client-3.0.3-5
samba-common-3.0.3-5
samba-swat-3.0.3-5
[EMAIL PROTECTED] root]# rpm -qa | grep smbldap
smbldap-tools-0.8.4-1.1.fc2.dag
[EMAIL PROTECTED] root]#
2. Made my SSL certificates and put them in /var/ssl.
3. Made my slapd.conf:
--- Start slapd.conf ---
include /etc/openldap/schema/core.schema
include /etc/openldap/schema/cosine.schema
include /etc/openldap/schema/inetorgperson.schema
include /etc/openldap/schema/nis.schema
include /etc/openldap/schema/samba.schema
allow bind_v2
passwd-hash {SSHA]
pidfile /var/run/slapd.pid
TLSCipherSuite HIGH:MEDIUM:+SSLv2
TLSCACertificateFile /var/ssl/cacert.pem
TLSCertificateFile /var/ssl/ldapcrt.pem
TLSCertificateKeyFile /var/ssl/ldapkey.pem
TLSVerifyClient 0
security ssf=1 update_ssf=112 simple_bind=64
access to dn=.*,dc=soil,dc=ncsu,dc=edu attr=userPassword
by dn=cn=Manager,dc=soil,dc=ncsu,dc=edu write
by self write
by * auth
access to dn=.*,dc=soil,dc=ncsu,dc=edu attr=mail
by dn=cn=Manager,dc=soil,dc=ncsu,dc=edu write
by self write
by * auth
access to dn=.*,ou=People,dc=soil,dc=ncsu,dc=edu
by * read
access to dn=.*,dc=soil,dc=ncsu,dc=edu
by self write
by * read
databaseldbm
suffix dc=soil,dc=ncsu,dc=edu
rootdn cn=Manager,dc=soil,dc=ncsu,dc=edu
rootpw _thepassword_
directory /var/lib/ldap
index objectClass,uid,uidNumber,gidNumber,memberUid eq
index cn,mail,surname,givenname eq,subinitial
--- End slapd.conf ---
4. Made the smb.conf:
--- Start smb.conf ---
[global]
; Basic server settings
workgroup = testdomain
netbios name = smbtest
server string = Samba Server %v
security = user
allow trusted domains = yes
log level = 0
log file = /var/log/samba/log.%m
max log size = 50
domain logons = Yes
os level = 65
local master = yes
domain master = yes
preferred master = yes
encrypt passwords = yes
passwd program = /usr/local/sbin/smbldap-passwd %u
passwd chat = *new*password* %n\n *new*password* %n\n *successfully*
unix password sync = yes
; User and Machine Account Backends
ldap ssl = start_tls
passdb backend = ldapsam:ldap://smbtest.soil.ncsu.edu:389
ldap suffix = dc=soil,dc=ncsu,dc=edu
ldap admin dn = cn=Manager,dc=soil,dc=ncsu,dc=edu
ldap delete dn = no
ldap user suffix = ou=People
ldap group suffix = ou=Groups
ldap machine suffix = ou=Computers
admin users = administrator
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
; where to store user profiles
logon home =
logon path =
ldap delete dn = Yes
add user script = /usr/local/sbin/smbldap-useradd -m %u
add machine script = /usr/local/sbin/smbldap-useradd -w %u
add group script = /usr/local/sbin/smbldap-groupadd -p %g
add user to group script = /usr/local/sbin/smbldap-groupmod -m %u %g
delete user from group script = /usr/local/sbin/smbldap-groupmod -x
%u %g
set primary group script = /usr/local/sbin/smbldap-usermod -g %g %u
delete user script = /usr/local/sbin/smbldap-userdel %u
delete group script = /usr/local/sbin/smbldap-groupdel %g
[netlogon]
comment = Network Logon Service
path = /usr/local/samba/lib/netlogon
read only = yes
write list = dom_admins
[Homes]
username = tfugere
writeable = Yes
force create mode = 0770
force directory mode = 02770
browseable = No
--- End smb.conf ---
5. Made my smbldap*.conf:
--- Start smbldap.conf ---
UID_START=1000
GID_START=1000
SID=S-1-5-21-2625200706-2048882972-3065312840
slaveLDAP=smbtest.soil.ncsu.edu
slavePort=389
masterLDAP=smbtest.soil.ncsu.edu
masterPort=389
ldapTLS=1
verify=require
cafile=/var/ssl/cacert.pem
clientcert=/var/ssl/ldapcrt.pem
clientkey=/var/ssl/ldapkey.pem
suffix=dc=soil,dc=ncsu,dc=edu
usersdn=ou=People,dc=soil,dc=ncsu,dc=edu
computersdn=ou=Computers,dc=soil,dc=ncsu,dc=edu
groupsdn=ou=Groups,dc=soil,dc=ncsu,dc=edu
scope=sub
hash_encrypt=SSHA
userLoginShell=/bin/bash
userHomePrefix=/home/
userGecos=System User
defaultUserGid=513
defaultComputerGid=553
skeletonDir=/etc/skel
defaultMaxPasswordAge=45
userSmbHome=
userProfile=
userHomeDrive=logondrive
userScript=
with_smbpasswd=0
smbpasswd=/usr/bin/smbpasswd
mk_ntpasswd=/usr/sbin/mkntpwd
--- End smbldap.conf ---
--- Begin smbldap_bind.conf ---
slaveDN=cn=Manager,dc=soil,dc=ncsu,dc=edu
slavePw=_hidden_
masterDN=cn=Manager,dc=soil,dc=ncsu,dc=edu
[Samba] Samba 3.0.2 and LDAP
I am getting the following problem when I try to add new machines to the LDAP server. snip [2004/06/07 13:49:12, 2] passdb/pdb_ldap.c:init_sam_from_ldap(462) init_sam_from_ldap: Entry found for user: administrator [2004/06/07 13:49:13, 2] passdb/pdb_ldap.c:init_group_from_ldap(1697) init_group_from_ldap: Entry found for group: 512 [2004/06/07 13:49:13, 2] passdb/pdb_ldap.c:init_group_from_ldap(1697) init_group_from_ldap: Entry found for group: 513 [2004/06/07 13:49:13, 2] auth/auth.c:check_ntlm_password(305) check_ntlm_password: authentication for user [administrator] - [administrator] - [administrator] succeeded [2004/06/07 13:49:14, 2] rpc_server/srv_samr_nt.c:_samr_lookup_domain(2461) Returning domain sid for domain MYDOM - S-1-5-21-2872XX-X-XX [2004/06/07 13:49:14, 2] rpc_server/srv_samr_nt.c:access_check_samr_object(93) _samr_open_domain: ACCESS DENIED (requested: 0x0211) [2004/06/07 13:49:14, 2] rpc_server/srv_samr_nt.c:_samr_lookup_domain(2461) Returning domain sid for domain MYDOM - S-1-5-21-2872XX-X-XX [2004/06/07 13:49:14, 2] rpc_server/srv_samr_nt.c:access_check_samr_function(115) _samr_create_user: ACCESS DENIED (granted: 0x0201; required: 0x0010) [2004/06/07 13:49:19, 2] smbd/sesssetup.c:setup_new_vc_session(591) setup_new_vc_session: New VC == 0, if NT4.x compatible we would close all old resources. [2004/06/07 13:49:19, 2] smbd/sesssetup.c:setup_new_vc_session(591) setup_new_vc_session: New VC == 0, if NT4.x compatible we would close all old resources. [2004/06/07 13:49:19, 2] passdb/pdb_ldap.c:init_sam_from_ldap(462) init_sam_from_ldap: Entry found for user: administrator [2004/06/07 13:49:20, 2] auth/auth.c:check_ntlm_password(305) check_ntlm_password: authentication for user [administrator] - [administrator] - [administrator] succeeded /snip I am very confused on how to proceed. net groupmap reveals that Domain Admins is mapped to the domadm Ldap Group. [gid=512]. Administrators primary group is 512, and that seems to be fine. We tried several people, all w/ the same results. Why am I getting ACCESS DENIED on the _samr_open_domain_ ? I don't understand that. Also, the create user fails. This seems to ignore my add machine script entirely. Did I miss anything in samba setup? I have searched and searched the archives with the only possible explanation found being that my ldap admin had insufficient rights, or my user had insufficient rights.Please help. AFAIK this worked prior to the last updates. I am using Fedora Core 1, with Samba-3.0.2-6.3 (Actually, now I am not sure about the 6.3). There is an update available, and I am planning on trying that. However I am very beleaguered by this problem. smb.conf: [global] debug level = 2 workgroup = MYDOM server string = SVR1 netbios name = SVR1 add machine script = /usr/sbin/ldapaddmachine.save %m printcap name = /etc/printcap load printers = yes log file = /var/log/samba/%m.log max log size = 50 security = user encrypt passwords = yes ldap suffix = o=Myou,c=US ldap user suffix= ou=Users ldap group suffix = ou=Groups ;; Work-around re: number failures, and numerous online notes. ;; Which is this supposed to be? ldap machine suffix = ou=Computers ;;ldap machine suffix = ou=Users ldap delete dn = no ldap filter = ((uid=%u)(objectclass=sambaSamAccount)) ldap admin dn = cn=Manager,o=Myou,c=US ldap ssl= off ldap passwd sync= yes passdb backend = ldapsam:ldap://localhost idmap backend = ldap:ldap://localhost ;; OS-Level incremented from 33 on 2004-06-4 by IMR. os level = 65 local master = yes domain master = yes domain logons = yes logon script = logon.bat logon path= \\%L\Profiles\%U preserve case = yes short preserve case = yes default case = lower case sensitive = no dns proxy = no socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 wins server = 192.168.10.240 shares removed signature.asc Description: OpenPGP digital signature -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Active Directory
You have to change some security settings in Windows 2003, by default it requires packet signatures, etc. Other people here are more qualified than me. However, here are the changes that I made: In AD: [Default Domain Controller Policy, and possible the local policy on the domain controllers] Disable: Digitally Sign Communication (always) Disable: Digitally Encrypt Secure Channel Data (always) Disable: Require Windows 2000 (or greater) strong key On Thu, 2003-09-25 at 12:23, Russ Haskett wrote: I have dug through some man pages, searched the archives for some time and googled for info on this but nothing yet. I'm sure this has been covered already so all I am really asking for is if someone could point me in the right direction to where I can educate myself on connecting my RedHat 9 workstation to our new Windows 2003 Active Directory file server. I can hit my Samba server and my NT servers without a problem using the following in my /etc/fstab: //winserver/share/home/shares/sharename smbfs credentials=/home/.smbpasswd,workgroup=DOMAIN,uid=500,gid=100 0 0 This even worked fine when I first fired up the 2003 server but it dies on me with the following after I setup Active Directory: [EMAIL PROTECTED] source]# mount /home/shares/sharename 15736: tree connect failed: ERRDOS - ERRnoaccess (Access denied.) SMB connection failed [EMAIL PROTECTED] source]# Any pointers to some good educating materials would greatly be appreciated. Thanks, -russ -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Active Directory
On Tue, 2003-10-21 at 14:00, Jeremy Allison wrote: On Tue, Oct 21, 2003 at 01:51:39PM -0700, Joshua Schmidlkofer wrote: You have to change some security settings in Windows 2003, by default it requires packet signatures, etc. Other people here are more qualified than me. However, here are the changes that I made: In AD: [Default Domain Controller Policy, and possible the local policy on the domain controllers] Disable: Digitally Sign Communication (always) Disable: Digitally Encrypt Secure Channel Data (always) Disable: Require Windows 2000 (or greater) strong key No, you don't have to do this for Samba3 - we support signing out of the box (modulo a couple of minor bugs which Stefan and I have just fixed in CVS :-). Jeremy. *grin* Sorry... Since he didn't specify what version he was using, I thought that he was using 2.2. *oops*. So in the mean time should I disable Signing? I use RedHat, and I am in the middle of the hideous and horrible replacing Kerb. Oh god, the horror, the horror in Rh9. js -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
RE: [Samba] Slow performance with lots of files in one directory
Have you read the XFS tuning recommendations? The XFS developers bitch because people don't tune their volumes, then they don't understand bad performance... notes from Gentoo install: snip Note: You may want to add a couple of additional flags to the mkfs.xfs command: -d agcount=3 -l size=32m. The -d agcount=3 command will lower the number of allocation groups. XFS will insist on using at least 1 allocation group per 4 GB of your partition, so, for example, if you hava a 20 GB partition you will need a minimum agcount of 5. The try this w/ XFS snip mkfs.xfs -d agcount=(numgigs / 4) -l size=32m ===THEN== when you mount, try logbuf=8 and noatime in the mount options. Windows is a killer for atimes. js On Fri, 2003-01-10 at 07:05, Gerald Drouillard wrote: Unless you are a programmer, I am afraid the only thing you can do is to modify how the files are stored in that directory. I had the files on a ext3 RAID5 with lots of memory config and any type of access to that directory would bring smb to a crawl. I even tried putting the files on a separate XFS RAID5 server and mount the directory, but seemed to just make it worse even with a 1Gig connection between the servers. The files that I store are from our in-house imaging program. Our file names were all numeric so it was just a case of changing the name structure from 123456.TIF to /3/2/1/456.TIF. In the new file name format, a directory has no more than 999+10 directory entries. Now the system is working better than ever. Regards - Gerald Drouillard Owner and Consultant Drouillard Associates, Inc. http://www.Drouillard.ca -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Anders Nordby Sent: Thursday, January 09, 2003 10:19 AM To: [EMAIL PROTECTED] Subject: [Samba] Slow performance with lots of files in one directory Hello, I've got performance problems with copying small files over to a Samba share in a directory that has lots of small files (1 to 2 files). It takes too long time to copy new files (they drip in at a fast pace), and smbd eats a lot of CPU time. Is there any way to make Samba run faster in this situation? Cheers, -- Anders Nordby Aftenposten AS, Systemteknisk avd. Tlf.: +47 22864083 Fax: +47 22864074 -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba -- VB programmers ask why no one takes them seriously, it's somewhat akin to a McDonalds manager asking employees why they don't take their 'career' seriously. signature.asc Description: This is a digitally signed message part
