Re: [Samba] LDAP PDC question
Le mar 04/10/2005 à 14:57, Derek Harkness a écrit : > Thanks! I was doing some testing this morning and found that on the > pdc I was setup nss like this > > nss_base_passwd ou=People > nss_base_passwd ou=machines,ou=Samba I just didn't know that you could have many nss_base_passwd entries ;-). -- Marcel de Riedmatten signature.asc Description: Ceci est une partie de message numériquement signée. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] LDAP PDC question
Le ven 30/09/2005 à 15:37, Derek Harkness a écrit : > When setting up an LDAP PDC do I have to have both user and machines > in the ou=People container? Here's what I've got. > > LDAP Tree > > ou=People,o=umd.umich.edu > ou=NIS,ou=Groups,o=umd.umich.eud > ou=machines,ou=Samba,ou=Services,o=umd.umich.edu > ou=Idmap,ou=Samba,ou=Services,o=umd.umich.edu > > -m I get "Failed to initialise SAM_ACCOUNT for user its-1150d$. Does > this user exist in the UNIX password database" which would be correct > since machine accounts aren't under ou=People the local workstation > won't be able to look them up. I don't want my unix users seeing all > the windows workstations. The domain controllers have to see machine account. I have a setup like yours but on the pdc my nss setup is: base o=umd.umich.edu #nss_base_passwd ou=People so the whole tree is searched while on other machines it is: base o=umd.umich.edu nss_base_passwd ou=People and here the machines account are not seen. signature.asc Description: Ceci est une partie de message numériquement signée. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] ADS member server w/ winbind on debian sarge
Le lun 20/06/2005 à 03:33, Noah Dain a écrit : > > > valid users = %S > > > > try valid users = DOMAIN+%S > > > > This might not be necessary if you have : > > > > winbind use default domain = Yes > > > > but i am not sure. > yup! that did it for the home directories. (both 'DOMAIN+' and > 'winbind use default domain = yes' worked). Working just spiffy, now. > > thx, Marcel > > now. how do I go about giving ads domain accounts the ability to log > into the samba machine, via something like local login, ftp, ssh? have a look at the samba HOWTO ch. 27 http://us2.samba.org/samba/docs/man/Samba-HOWTO-Collection/pam.html -- Marcel signature.asc Description: Ceci est une partie de message =?ISO-8859-1?Q?num=E9riquement?= =?ISO-8859-1?Q?_sign=E9e=2E?= -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] ADS member server w/ winbind on debian sarge
Le lun 20/06/2005 à 00:21, Noah Dain a écrit : > ok, i've been buggering on and off with this for way too long now. > I'm just plain stuck. > > However, I cannot log onto the samba machine using a domain account, > and when i attempt to access home directories of domain accounts > hosted on the samba machine, i keep getting prompted for a password > (and no passwords work). > [global] > [homes] > comment = Home Dirs > valid users = %S try valid users = DOMAIN+%S > read only = No > browseable = No > ;root preexec = /etc/samba/scripts/mk_sambadir "/home/%D/%U" "%U" "%G" > > [testshare] > path = /test > comment = samba ads test share > read only = no > browseable = yes > writelist = @"Domain Users" same here: writelist = @"DOMAIN+Domain Users" etc This might not be necessary if you have : winbind use default domain = Yes but i am not sure. -- Marcel signature.asc Description: Ceci est une partie de message =?ISO-8859-1?Q?num=E9riquement?= =?ISO-8859-1?Q?_sign=E9e=2E?= -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Transfer winbind idmap to LDAP
Le sam 13/11/2004 à 12:36, Paul Coray a écrit : > Marcel de Riedmatten wrote: > > Le mer 10/11/2004 à 11:21, Paul Coray a écrit : > > > > > > 1) get the winbind-idmap in text form with a getent passwd for example > > I did that with # net idmap dump winbindd_idmap.tdb > > /tmp/winbindd_idmap.dump on the member server. the resulting file looks > like: > > ... > UID 10013 S-1-5-21-98201057-1281969052-1085559986-1608 > UID 10202 S-1-5-21-98201057-1281969052-1085559986-1436 > UID 10138 S-1-5-21-98201057-1281969052-1085559986-1011 > UID 10105 S-1-5-21-98201057-1281969052-1085559986-1418 > UID 10067 S-1-5-21-98201057-1281969052-1085559986-1137 > ... Actualy you want this information on the following form UIDName:x:UIDNumber:GIDNumber This is because smbldap-useradd doesn't know about SID. The vampire use it only for the posix part of the account. Again a getent passwd with the unusefull line removed will do the trick. > > > > 3) hack the script defined under "user add script" who will be adding > > the users to use the information of 1). With the ldap backend this is > > usually smbldap-useradd . > > Well, I'd like to, but my knowledge of Perl is still too limited :-( So > if any body can help, I think I'm not the only one who would appreciate > highly! Another way would be to modify the IDs of each user and Group in > LDAP after the vampire process. I have had an other idea. You can just populate the posix account before running the vampire according to the data you got under 1). The vampire check if the account exist and if it exist smbldap-useradd is not called. You can populate with the following script: #!/bin/bash USERADD="/usr/local/sbin/smbldap-useradd" while read STRING ; do #echo $STRING UIDName=$(echo $STRING | cut -d : -f1) UIDNumber=$(echo $STRING | cut -d : -f3) GIDNumber=$(echo $STRING | cut -d : -f4) echo "Creating Account: $UIDName $UIDNumber $GIDNumber " $USERADD -u $UIDNumber -g $GIDNumber $UIDName done call it populate.sh and do # ./populate.sh < myaccountlistfile Depending of your data you might need something similar for your groups. Cheers -- Marcel de Riedmatten signature.asc Description: Ceci est une partie de message =?ISO-8859-1?Q?num=E9riquement?= =?ISO-8859-1?Q?_sign=E9e=2E?= -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Migrating NT4 Domain with Idealx tools
Le mer 17/11/2004 à 17:09, Paul Coray a écrit : > Marcel de Riedmatten schrieb: > > > > you can have them separated. What count is that the machines account are > > visible on domain controllers (PDC BDC) ie getent passwd must show the > > machine (posix) account. This is nss_ldap configuration. If samba > > doesn't see the machine (posix) account it won't work . > > So can I specify more then one nss base for passwd in libnss-ldap.conf > > i.e. > > nss_base_passwd ou=Users,dc=mydomain,dc=ch > nss_base_passwd ou=Computers,dc=mydomain,dc=ch > nss_base_groupou=Groups,dc=mydomain,dc=ch I am not sure. I just don't specify nss_base_passwd ie i just defined base dc=mydomain,dc=ch > > > >> So I would suspect some problem in the communication with the > >> > >>>PDC and double check that on the samba box > >>> > >>>1) you have the domain SID as local SID > >> > >>Do SIDS for the PDC and for the domain have to be the same? > > > > > > yes the domain SID _is_ the (local) SID of the PDC and all domain > > controllers must have the same SID. > > Thanks Marcel, this is very valuable information to me! I think these > should be pointed out more clearly in the docs. > > ok By the way I am preparing something for the vampire and idmap stuff. -- Marcel de Riedmatten signature.asc Description: Ceci est une partie de message =?ISO-8859-1?Q?num=E9riquement?= =?ISO-8859-1?Q?_sign=E9e=2E?= -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Migrating NT4 Domain with Idealx tools
Le sam 13/11/2004 à 12:23, Paul Coray a écrit : > Marcel de Riedmatten wrote: > > Le mar 09/11/2004 à 17:57, Paul Coray a écrit : > > > This doesn't seem normal. The samba attribute should be added by the > > vampire. > > But I my case it doesn't... net rpc vampire says 'Couldn't create Posix > information for machinename$'. Well in reality, it did, but without > samba atrrs. > > Now I realize this works when i configure LDAP and Idealx-Tools to store > machine accounts in the same container as useraccounts. Although this > makes my directory look somewhat messy, I can live with it if I have to. > Still I can't add machines doing smbldap-useradd -w, nor when I try to > join the domain from a client. you can have them separated. What count is that the machines account are visible on domain controllers (PDC BDC) ie getent passwd must show the machine (posix) account. This is nss_ldap configuration. If samba doesn't see the machine (posix) account it won't work . > > So I would suspect some problem in the communication with the > > PDC and double check that on the samba box > > > > 1) you have the domain SID as local SID > > Do SIDS for the PDC and for the domain have to be the same? yes the domain SID _is_ the (local) SID of the PDC and all domain controllers must have the same SID. signature.asc Description: Ceci est une partie de message =?ISO-8859-1?Q?num=E9riquement?= =?ISO-8859-1?Q?_sign=E9e=2E?= -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Migrating NT4 Domain with Idealx tools
Le mar 09/11/2004 à 17:57, Paul Coray a écrit : > Hi all > > For several days I've been doing tests for our upcoming migration from > an NT domain to Samba PDC with ldapsam. We have ~200 clients, mostly NT4 > and some Win2k. We want all of our users eventually switch from Windows > to KDE on Linux with thin clients through NX :-) > > I managed to net rpc vampire all user and machine accounts into LDAP, > but then I realized some problems: > > - The migrated machine accounts have no samba attributes. I can > reproduce this behavior adding a machine account doing smbldap-useradd > -w [machinename], just as in the 'add machine script' line in smb.conf > suggested by Idealx. The machine account machinename$ will exist then, > but without sambaSAMAccount object class nor any other samba attribute. > Only after adding these by hand and joning the machine to my samba > domain, users can login. I tried also using smbldap-useradd with > multiple options, -w for workstation account and -a for samba > attributes, but no luck. I wish I shouldn't add 200 machines to an > already existing domain after the migration... This doesn't seem normal. The samba attribute should be added by the vampire. So I would suspect some problem in the communication with the PDC and double check that on the samba box 1) you have the domain SID as local SID 2) you have joined the domain as BDC 3) you can see the attribute with net samdump > > - Users, once logged in to Linux, cannot change their password with > smbldap-passwd. They get 'user [username] doesn't exist.' Well, I'm > talking about a logged in user... At distance this is a hard guess. I suggest that you look at the ldap log to get an idea what happend. -- Marcel de Riedmatten signature.asc Description: Ceci est une partie de message =?ISO-8859-1?Q?num=E9riquement?= =?ISO-8859-1?Q?_sign=E9e=2E?= -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Transfer winbind idmap to LDAP
Le mer 10/11/2004 à 11:21, Paul Coray a écrit : > Hi all > > This seems simple, but I can't figure how tho acheive it. > > I have: > > - NT4-PDC > - Fileserver (Solaris 9), Samba 3.0.2 member server with winbind > > I want to migrate my NT4-PDC to Samba PDC with ldapsam. How can I make > sure that after vamprie my old PDC to Samba-PDC, the user and group ids > will be the same as in the winbind-idmap of my Samba member server? > Hi Paul this is my suggestion: 1) get the winbind-idmap in text form with a getent passwd for example 2) remove the nss_winbind from the nssswitch.conf or what it is on solaris; this is because the vampire will look in the unix database to see if the account exist and if the account already exist it w'ont be added. 3) hack the script defined under "user add script" who will be adding the users to use the information of 1). With the ldap backend this is usually smbldap-useradd . 4) do the usual procedure Anyone has a better idea ! Cheers -- Marcel de Riedmatten signature.asc Description: Ceci est une partie de message =?ISO-8859-1?Q?num=E9riquement?= =?ISO-8859-1?Q?_sign=E9e=2E?= -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Samba 3.0.6 and OpenLDAP performance problem
Le ven 08/10/2004 à 11:01, Tomasz Finke a écrit : > Marcel de Riedmatten wrote: > > > Another question: have you replicated your ldap server ? > > Yes, I have BDC server with Samba and slave slapd installed. But > more than 90% of users choose PDC as their logon server. The > "os level" at PDC is set to 255 and on the BDC to 33. Perhaps > I should set equal values for both servers? I made some search on that one. You should probably use a 2 PDC setup like the one discribed at http://www.unav.es/cti/ldap-smb/smb-ldap-3-howto.html toward the end of the page. Both PDC have domain master = yes local master = yes preferred master = yes os level = 255 What change is the netbios name and the ldapsam entry doesn't have the same order. -- Marcel de Riedmatten signature.asc Description: Ceci est une partie de message =?ISO-8859-1?Q?num=E9riquement?= =?ISO-8859-1?Q?_sign=E9e=2E?= -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Samba 3.0.6 and OpenLDAP performance problem
Le jeu 07/10/2004 à 23:05, Tomasz Finke a écrit : > Marcel de Riedmatten wrote: > > > You aren't running winbind aren't you ? > > No, I'm not, just slapd, nscd and Samba. I have looked in my log and i see something similar as you, except this append after the logon script is closed. I see at least three time the same enumeration request: Oct 8 09:56:08 sarge slapd[25437]: conn=266107 op=401 SRCH base="dc=nofida,dc=ch" scope=2 filter="(&(uid=*)(objectClass=sambaSamAccount))" Oct 8 09:56:08 sarge slapd[25437]: conn=266107 op=401 SRCH attr=uid uidNumber gidNumber homeDirectory sambaPwdLastSet sambaPwdCanChange sambaPwdMustChange sambaLogonTime sambaLogoffTime sambaKickoffTime cn displayName sambaHomeDrive sambaHomePath sambaLogonScript sambaProfilePath description sambaUserWorkstations sambaSID sambaPrimaryGroupSID sambaLMPassword sambaNTPassword sambaDomainName objectClass sambaAcctFlags sambaMungedDial sambaBadPasswordCount sambaBadPasswordTime Oct 8 09:56:08 sarge slapd[25437]: conn=266107 op=401 SEARCH RESULT tag=101 err=0 nentries=37 text= With 37 entries i don't see performance issue. This is with samba 3.05 (debian). I'all check later if this is realy has to do with the logon process. Another question: have you replicated your ldap server ? -- Marcel signature.asc Description: Ceci est une partie de message =?ISO-8859-1?Q?num=E9riquement?= =?ISO-8859-1?Q?_sign=E9e=2E?= -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Inconsistant winbind and getent results
Le lun 28/06/2004 à 19:52, Norman Zhang a écrit : > Marcel de Riedmaten wrote: > > Le mer 23/06/2004 à 00:53, Norman Zhang a écrit : > >># getent passwd nzhang > >> > >>The last command displays nothing. Why? > > > > Last time i got that i had 2 users with the same numeric uid (this is > > counting local users) or, i am not quite sure, 2 users or group with the > > same SID. To much playing ! So i would double check stuff like that. > > I don't have a local user nzhang on my Linux box. I added winbind enum > users/groups, but testparm seems to ignore them. Below is my conf file, > could you see if I'm doing something stupid? Hi I said numeric uid, not uid. This is the number int the third column of a passwd entry. You have idmap in your config therefore your are running samba 3. What is your domaine controler ? By the way your config look good. An other way to look at the problem is to put log level = 3 or 5 and to look at the winbind log after you have done the getent. There surely will be some interesting message. Cheers -- Marcel de Riedmatten signature.asc Description: Ceci est une partie de message =?ISO-8859-1?Q?num=E9riquement?= =?ISO-8859-1?Q?_sign=E9e=2E?= -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Problem with net rpc vampire - Samba 3.0.2a
Le lun 03/05/2004 à 11:01, Ferdinand Klinzer a écrit : > Hello i have a running Samba 3.0.2a Server on a SuSE Linux 9.0 dist. > > Creating account: Gast > Could not create posix account info for 'Gast' > Creating account: DEMONT01$ > Could not create posix account info for 'DEMONT01$' > Creating account: mstrohm > Could not create posix account info for 'mstrohm' > Creating account: fklinzer > Could not create posix account info for 'fklinzer' > Creating account: kforgo > Could not create posix account info for 'kforgo' > Creating account: DEMOSMB01$ > Could not create posix account info for 'DEMOSMB01$' Hi wild guess: you are using a ldap backend, smbldap-tools and you forgot to configure nss-ldap. Cheers -- Marcel de Riedmatten signature.asc Description: Ceci est une partie de message =?ISO-8859-1?Q?num=E9riquement?= =?ISO-8859-1?Q?_sign=E9e=2E?= -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Cupsprinter over samba won't work for w2k clients
Le mer 17/03/2004 à 12:07, Angela Gavazzi a écrit : > Hallo! [ snip ] > > 2. An OKI C5300: when opening printer properties I get this in error_log: > > E [16/Mar/2004:15:59:44 +0100] get_printer_attrs: resource name > '/printers/::{2227a280-3aea-1069-a2de-08002b30309d}' no good! > > and this on the Client (sorry it's german...) > > Der an einen Systemaufruf übergebene Datenbereich ist zu klein" > "Funktionsadresse 0x500027e4 hat eine Schutzverletzung verursacht. > (Ausnahmecode 0xc005) Die Eigenschaftenseite wird möglicherweise nicht > richtig angezeigt." > > Then it opens the properties. The printer is shows as not connected and > when > trying to print there are no errors in error_log. > Hi I had a similar problem a few month ago. I made the observation that if windows (it was 2k at the time) has a driver preinstalled it will use it. If the driver on the server is not the same as the preintalled one, this can led to "binary corruption" like you see. I solve it by putting on the server the same drivers as the preinstalled one. I found this driver on the windows original cd in a drivers.cab file. > load printers = yes This line is of no use with cups. I would remove it but this should not be your problem. At this point i would stop samba, remove /var/lib/samba/ntdrivers.tdb and ntprinters.tdb, restart samba and have a try with the original windows drivers. Have a good day. -- Marcel de Riedmatten signature.asc Description: Ceci est une partie de message =?ISO-8859-1?Q?num=E9riquement?= =?ISO-8859-1?Q?_sign=E9e=2E?= -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Performances network samba
Le ven 27/02/2004 à 08:53, Xavier Poirier a écrit : > En réponse à Marcel de Riedmatten <[EMAIL PROTECTED]>: > It seems a little faster in the readonly mode ! > But I will ask in the OpenOffice MailingList why they are not caching > the network files on the client for not read those files everytime you > start Ooo. I am using the quickstart. It start in 10s when the windows user login. It keep 69 files open per user. Then writer and other apps start in 1 or 2 seconds. This is whith oo 1.01, samba 2.2.8a, clients athlon XP1800+w2k, server is celeron 1000 with ide disks, 100Mb/s switched ethernet, nothing fancy. This is a small network, about 10 users. [apps] comment = Applications réseau path = /var/spool/samba/apps read only = Yes oplocks = No level2 oplocks = No #write list = NOFIDA/administrateur > What are the default values of the tuning options of a share ? > I mean : "block size" "write cache size" , have you tryed to modify > these values ? > block size = 1024 write cache size = 0 I didn't play with that but i remember that it went better once i removed oplock. -- Marcel de Riedmatten signature.asc Description: Ceci est une partie de message =?ISO-8859-1?Q?num=E9riquement?= =?ISO-8859-1?Q?_sign=E9e=2E?= -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Performances network samba
Le jeu 26/02/2004 à 14:33, Xavier Poirier a écrit : > We have installed OpenOffice in a "network" mode onto a samba share > named \\openoffice\ooo (linux Mandrake9.2) > The performances are slowest (a 10M network) > > I was wondering if there is a simple way to optimise performances > beetween a samba share and the win2k clients, a cache or something > similar ? Hi For openoffice i made the share readonly. Its quite fast. -- Marcel de Riedmatten signature.asc Description: Ceci est une partie de message =?ISO-8859-1?Q?num=E9riquement?= =?ISO-8859-1?Q?_sign=E9e=2E?= -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba