Re: [Samba] How to configure krb5 for multiple domains or domain and its sub-domains

[Mauricio Tavares]

On Tue, Aug 23, 2011 at 3:17 PM, Le, Anh  wrote:
> Hi Mauricio,
>
> First of all, thank you for the reply. Secondly, those subdomains are child 
> domains of pc.example.com in windows dns.  And here is my current krb5.conf 
> file.  u...@pc.example.com is connecting fine. But not the 
> u...@europe.pc.example.com or u...@asia.pc.example.com. These users will be 
> prompted for the username and password. By the way we use kerberos with 
> winbind.
>
> [libdefaults]
>        default_realm = PC.EXAMPLE.COM
>        dns_lookup_kdc = true
>        verify_ap_req_nofail = false
>        clockskew = 300
>
> [realms]
>        PC.EXAMPLE.COM = {
>                kdc = server1.pc.example.com
>                admin_server = server1.pc. example.com
>                default_domain = pc. example.com
>        }
>
>  [domain_realm]
>       .kerberos.server = PC. EXAMPLE.COM
>       pc. example.com = PC. EXAMPLE.COM
>       .pc. example.com = PC. EXAMPLE.COM
  .europe.pc.example.com = PC. EXAMPLE.COM
  .asia.pc.example.com = PC. EXAMPLE.COM

see if this helps
>
>
> [logging]
>        default = FILE:/var/krb5/kdc.log
>        kdc = FILE:/var/log/kdc.log
>        kdc_rotate = {
>
> # How often to rotate kdc.log. Logs will get rotated no more
> # often than the period, and less often if the KDC is not used
> # frequently.
>
>                period = 1d
>
> # how many versions of kdc.log to keep around (kdc.log.0, kdc.log.1, ...)
>
>                versions = 10
>        }
>
> [appdefaults]
>        kinit = {
>                renewable = true
>                forwardable= true
>        }
>        gkadmin = {
>                help_url = 
> http://docs.sun.com:80/ab2/coll.384.1/SEAM/@AB2PageView/1195
>        }
> Thanks a lot,
>
> Anh.
>
>
>
> -Original Message-
> From: Mauricio Tavares [mailto:raubvo...@gmail.com]
> Sent: Tuesday, August 23, 2011 12:50 PM
> To: samba@lists.samba.org
> Subject: Re: [Samba] How to configure krb5 for multiple domains or domain and 
> its sub-domains
>
> On Aug 23, 2011 11:13 AM, "Le, Anh"  wrote:
>>
>> Hi All,
>>
>> I've configured my samba server (3.5.11) working and joined to my
>> domain
> pc.example.com. Every user of pc.example.com is able to view the shared 
> folders and files of my samba server without any problem.
>>
>> However, the users of my sub-domains Europe.pc.example.com  and
> Asia.pc.example.com could not connect and view the shared folders of my samba 
> server. They were prompted for the passwords and it does not accept their 
> passwords when the users entered. I guess it has this problem because my 
> current krb5 is only setup for my main domain pc.example.com.
>>
>> I don't know the syntax for the multiple domains or domain and its
> sub-domains of krb5.conf file. It will be very appreciated if anyone can help 
> me.
>>
>      Are those subdomains as in dns subdomains or samba workgroups/domains?
> Are they all supposed to be in the same kerberos realm?
>
>> Thanks a lot,
>>
>> Anh.
>> --
>> To unsubscribe from this list go to the following URL and read the
>> instructions:  https://lists.samba.org/mailman/options/samba
>
>
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] How to configure krb5 for multiple domains or domain and its sub-domains

[Mauricio Tavares]

On Aug 23, 2011 11:13 AM, "Le, Anh"  wrote:
>
> Hi All,
>
> I've configured my samba server (3.5.11) working and joined to my domain
pc.example.com. Every user of pc.example.com is able to view the shared
folders and files of my samba server without any problem.
>
> However, the users of my sub-domains Europe.pc.example.com  and
Asia.pc.example.com could not connect and view the shared folders of my
samba server. They were prompted for the passwords and it does not accept
their passwords when the users entered. I guess it has this problem because
my current krb5 is only setup for my main domain pc.example.com.
>
> I don't know the syntax for the multiple domains or domain and its
sub-domains of krb5.conf file. It will be very appreciated if anyone can
help me.
>
  Are those subdomains as in dns subdomains or samba workgroups/domains?
Are they all supposed to be in the same kerberos realm?

> Thanks a lot,
>
> Anh.
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] SSO's availability

[Mauricio Tavares]

2011/8/2 Frédéric Bérard :
> Hello all,
>
>
> I will introduce myself,
> I'm french, about 34 years old and works for a mechanic company.
> I've discovered linux in 2006 and I'm really enjoyed by all the things that
> can be done with.
>
> Now this is questions :
> Is it possible to configure a system of authentication based on SSO samba
> (and certainly ldap and lot of others things) ?
> Is it possible to do this without any windows's system which act as any
> authority ?
> Wat I mean is that I would like to do this only one linux's computer
>
  Yes if you use Samba 4 as it can be your AD server. And, if in
addition to your windows boxes you make your other linux/OSX machines
authenticate against it, you are all set.

> And the last one of my questions : Could you help me ?
>
  Can but try, right?
>
> Thanks In advance for all of your answers,
>
> Kindly
> --
>
> Frédéric Bérard
>
> 61, Allée du Clos de Champereux
>
> 45160 OLIVET
>
> 06.88.19.09.33
>
> frederic.ber...@bbox.fr 
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] tkey-gssapi-credential and bind (Samba4)

[Mauricio Tavares]

On 06/22/2011 02:26 AM, Marcel Ritter wrote:

Hi Mauricio,

the easiest way to find out, where named fails may be to
do an "strace -f /usr/sbin/named ..." (don't forget to set/export
the keytab environment variables before doing so).

Check the output of strace for accesses to the keytab file and
you will get some hints about what's wrong. You may also want
to check for the files mentioned below in the apparmor list.

In my apparmor config (Ubuntu 10.04) I had to add some more
entries (the list is far from optimized, but it works for me).

/opt/samba4/private/dns.keytab kr,
/opt/samba4/private/named.conf.update kr,
/opt/samba4/private/named.conf kr,
/opt/samba4/private/dns/* krw,
/var/tmp/krb5_* rw,
/var/tmp/DNS_* rw,

If you like you can send me the strace log in private, I'll have a look.
(AFAIK the allowed size of attachments on the list is quite small).

	You were right about the apparmor; I disabled it temporarily for named 
and bind was happy again. I will try your list later (since I found out 
I can't do cross-realm between samba4's kerberos and our (mit) currently 
working setup, samba 4 just dropped out of my priority list).



Bye,
 Marcel

-Ursprüngliche Nachricht-
Von: samba-boun...@lists.samba.org [mailto:samba-boun...@lists.samba.org] Im 
Auftrag von Mauricio Tavares
Gesendet: Dienstag, 21. Juni 2011 21:23
An: samba@lists.samba.org
Betreff: Re: [Samba] tkey-gssapi-credential and bind (Samba4)

On Tue, Jun 21, 2011 at 1:14 PM, Aaron E.  wrote:

In my experience this is due to gssapi not being compiled to the
correct directory for bind.. I also used 11.04 and my compile path was
--with-gssapi=/usr/include/gssapi,, instead of /usr


   Aaron, in my case it seems to be pointing to /usr:

root@sambabox:~# named -V
BIND 9.7.3 built with '--prefix=/usr' '--mandir=/usr/share/man'
'--infodir=/usr/share/info' '--sysconfdir=/etc/bind'
'--localstatedir=/var' '--enable-threads' '--enable-largefile'
'--with-libtool' '--enable-shared' '--enable-static'
'--with-openssl=/usr' '--with-gssapi=/usr' '--with-gnu-ld'
'--with-dlz-postgres=no' '--with-dlz-mysql=no' '--with-dlz-bdb=yes'
'--with-dlz-filesystem=yes' '--with-dlz-ldap=yes'
'--with-dlz-stub=yes' '--with-geoip=/usr' '--enable-ipv6'
'CFLAGS=-fno-strict-aliasing -DDIG_SIGCHASE -O2'
'LDFLAGS=-Wl,-Bsymbolic-functions' 'CPPFLAGS='
root@sambabox:~#




On 06/21/2011 10:45 AM, Marcel Ritter wrote:


Hi Mauricio,

this is usually caused by one of 3 things:

1) bind is started without KRB5_KTNAME being set, and
  therefore doesn't know where to look for it's keytab


Marcel, what I have in /etc/default/bind9 is

# Samba-related stuff
KEYTAB_FILE="/var/lib/samba/private/dns.keytab"
KRB5_KTNAME="/var/lib/samba/private/dns.keytab"
export KEYTAB_FILE
export KRB5_KTNAME

And here is what dns.keytab looks like:

-rw-r- 1 root bind 1.3K 2011-06-21 09:57 /var/lib/samba/private/dns.keytab


2) the bind user does not have access permission to the
 keytab (or any directory in its path)


   As user bind (I edited /etc/passwd temporarily) I was able to reach that 
file:

bind@sambabox:~$ cat /var/lib/samba/private/dns.keytab 
HTEST.DOMAIN.COMDNStest.domain.com
[...]


3) I also hat problems related to apparmor (on Ubuntu 10.04)
 where the apparmor security framework prevented bind
 from accessing the keytab, even if file permissions were ok


   I edited # /etc/apparmor.d/usr.sbin.named per 
http://blog.mycroes.nl/2010/09/installing-samba-4-on-ubuntu-maverick.html
, adding the following lines:

/var/lib/samba/private/* rw,
/var/lib/samba/private/dns/* rw,


Hope this helps,
 Marcel

-Ursprüngliche Nachricht-
Von: samba-boun...@lists.samba.org
[mailto:samba-boun...@lists.samba.org]
Im Auftrag von Mauricio Tavares
Gesendet: Dienstag, 21. Juni 2011 16:11
An: samba@lists.samba.org
Betreff: [Samba] tkey-gssapi-credential and bind (Samba4)

   So I am in step 10 of the samba4 howto
(https://wiki.samba.org/index.php/Samba4/HOWTO#Step_10_Configure_kerb
eros_DNS_dynamic_updates); my bind9 is 9.7.3 which seems to be
current enough for this. In it we are to add

tkey-gssapi-credential "DNS/samdom.example.com";
tkey-domain "SAMDOM.EXAMPLE.COM";

to /etc/bind/named.conf.options. Since my test domain is
test.domain.com, I changed the above to

tkey-gssapi-credential "DNS/test.domain.com";
tkey-domain "TEST.DOMAIN.COM";

In the log file I have:

Jun 21 10:02:39 sambabox named[3302]: automatic empty zone:
D.F.IP6.ARPA Jun 21 10:02:39 sambabox named[3302]: automatic empty
zone: 8.E.F.IP6.ARPA Jun 21 10:02:39 sambabox named[3302]: automatic
empty zone: 9.E.F.IP6.ARPA 

Re: [Samba] Samba4 + Kerberos cross-realms + ldap

[Mauricio Tavares]

On 06/17/2011 02:00 AM, Andrew Bartlett wrote:

On Tue, 2011-06-14 at 12:49 -0400, Mauricio Tavares wrote:

  Quick and easy question: I have a network which already has its
own kerberos + ldap servers running and I want to setup a samba4 box
as AD. So, from conversations here and on irc, the best thing to do is
to setup the samba4's built-in kerberos to do cross-realm
authentication with the other kerberos server. Now, how would those
crossed users look like in samba? Or, how would they be created in the
samba4 ldap so they would have, among other things, a local home
directory (or wherever the homedir; it just have to be in a place
samba can find, know what to do with it, and do it) which would the be
exported?


I realise it's not a great answer, but currently we don't support
cross-realm trusts.  We have some of the parts (they are being used for
IPA), but I would not make any assumptions about it being fully working
for what you need.  In particular, for the Microsoft modal, we should
find the 'local' account for the principal and make up a PAC, none of
which we do.

	Oh lovely. So I guess Samba 4 is out of question for me unless I want 
to move all of our authentication/authorization stuff that works fine 
with out Linux, Solaris, and OSX systems to Samba 4. And that is just 
not happening for many reasons.


This was the entire reason I went with it: I was hoping that somehow I 
would be able to sync it with our established kerberos/ldap setup. All I 
needed was just the kerberos part to work across realms. I should have 
read this reply a week ago.



As to extending the Samba4 schema, this is a great option, except that a
number of users have reported various issues here, which we are yet to
resolve.

Andrew Bartlett



--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] heimdal config and files

[Mauricio Tavares]

On 06/28/2011 02:47 AM, Michael Wood wrote:

Cc: samba-technical

On 27 June 2011 21:07, Mauricio Tavares  wrote:

I need to create a few principals in the heimdal kerberos that comes
with samba but do not know where its files are (so I can tell kadmin
where to look for them). Could anyone gimme a pointer?


I believe the information is stored in .../samba/private/sam.ldb (and
related files), but I doubt you can access those directly with kadmin.

Perhaps you can use samba-tool or ldbedit to do what you want?

	If any of them can help me setup a cross-realm trust, that would be 
great! =)

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

[Samba] heimdal config and files

[Mauricio Tavares]

I need to create a few principals in the heimdal kerberos that comes
with samba but do not know where its files are (so I can tell kadmin
where to look for them). Could anyone gimme a pointer?
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] tkey-gssapi-credential and bind (Samba4)

[Mauricio Tavares]

On Tue, Jun 21, 2011 at 1:14 PM, Aaron E.  wrote:
> In my experience this is due to gssapi not being compiled to the correct
> directory for bind.. I also used 11.04 and my compile path was
> --with-gssapi=/usr/include/gssapi,, instead of /usr
>
  Aaron, in my case it seems to be pointing to /usr:

root@sambabox:~# named -V
BIND 9.7.3 built with '--prefix=/usr' '--mandir=/usr/share/man'
'--infodir=/usr/share/info' '--sysconfdir=/etc/bind'
'--localstatedir=/var' '--enable-threads' '--enable-largefile'
'--with-libtool' '--enable-shared' '--enable-static'
'--with-openssl=/usr' '--with-gssapi=/usr' '--with-gnu-ld'
'--with-dlz-postgres=no' '--with-dlz-mysql=no' '--with-dlz-bdb=yes'
'--with-dlz-filesystem=yes' '--with-dlz-ldap=yes'
'--with-dlz-stub=yes' '--with-geoip=/usr' '--enable-ipv6'
'CFLAGS=-fno-strict-aliasing -DDIG_SIGCHASE -O2'
'LDFLAGS=-Wl,-Bsymbolic-functions' 'CPPFLAGS='
root@sambabox:~#

>
>
> On 06/21/2011 10:45 AM, Marcel Ritter wrote:
>>
>> Hi Mauricio,
>>
>> this is usually caused by one of 3 things:
>>
>> 1) bind is started without KRB5_KTNAME being set, and
>>      therefore doesn't know where to look for it's keytab
>>
   Marcel, what I have in /etc/default/bind9 is

# Samba-related stuff
KEYTAB_FILE="/var/lib/samba/private/dns.keytab"
KRB5_KTNAME="/var/lib/samba/private/dns.keytab"
export KEYTAB_FILE
export KRB5_KTNAME

And here is what dns.keytab looks like:

-rw-r- 1 root bind 1.3K 2011-06-21 09:57 /var/lib/samba/private/dns.keytab

>> 2) the bind user does not have access permission to the
>>     keytab (or any directory in its path)
>>
  As user bind (I edited /etc/passwd temporarily) I was able to
reach that file:

bind@sambabox:~$ cat /var/lib/samba/private/dns.keytab
HTEST.DOMAIN.COMDNStest.domain.com
[...]

>> 3) I also hat problems related to apparmor (on Ubuntu 10.04)
>>     where the apparmor security framework prevented bind
>>     from accessing the keytab, even if file permissions were ok
>>
  I edited # /etc/apparmor.d/usr.sbin.named per
http://blog.mycroes.nl/2010/09/installing-samba-4-on-ubuntu-maverick.html
, adding the following lines:

/var/lib/samba/private/* rw,
/var/lib/samba/private/dns/* rw,

>> Hope this helps,
>>     Marcel
>>
>> -Ursprüngliche Nachricht-
>> Von: samba-boun...@lists.samba.org [mailto:samba-boun...@lists.samba.org]
>> Im Auftrag von Mauricio Tavares
>> Gesendet: Dienstag, 21. Juni 2011 16:11
>> An: samba@lists.samba.org
>> Betreff: [Samba] tkey-gssapi-credential and bind (Samba4)
>>
>>       So I am in step 10 of the samba4 howto
>> (https://wiki.samba.org/index.php/Samba4/HOWTO#Step_10_Configure_kerberos_DNS_dynamic_updates);
>> my bind9 is 9.7.3 which seems to be current enough for this. In it we are
>> to add
>>
>>    tkey-gssapi-credential "DNS/samdom.example.com";
>>    tkey-domain "SAMDOM.EXAMPLE.COM";
>>
>> to /etc/bind/named.conf.options. Since my test domain is test.domain.com,
>> I changed the above to
>>
>>    tkey-gssapi-credential "DNS/test.domain.com";
>>    tkey-domain "TEST.DOMAIN.COM";
>>
>> In the log file I have:
>>
>> Jun 21 10:02:39 sambabox named[3302]: automatic empty zone: D.F.IP6.ARPA
>> Jun 21 10:02:39 sambabox named[3302]: automatic empty zone: 8.E.F.IP6.ARPA
>> Jun 21 10:02:39 sambabox named[3302]: automatic empty zone: 9.E.F.IP6.ARPA
>> Jun 21 10:02:39 sambabox named[3302]: automatic empty zone: A.E.F.IP6.ARPA
>> Jun 21 10:02:39 sambabox named[3302]: automatic empty zone: B.E.F.IP6.ARPA
>> Jun 21 10:02:39 sambabox named[3302]: automatic empty zone:
>> 8.B.D.0.1.0.0.2.IP6.ARPA
>> Jun 21 10:02:39 sambabox named[3302]: configuring TKEY: failure Jun 21
>> 10:02:39 sambabox named[3302]: loading configuration: failure Jun 21
>> 10:02:39 sambabox named[3302]: exiting (due to fatal error) Jun 21 10:02:50
>> sambabox named[3316]: starting BIND 9.7.3 -u bind Jun 21 10:02:50 sambabox
>> named[3316]: built with '--prefix=/usr'
>> '--mandir=/usr/share/man' '--infodir=/usr/share/info'
>> '--sysconfdir=/etc/bind' '--localstatedir=/var' '--enable-threads'
>> '--enable-largefile' '--with-libtool' '--enable-shared'
>> '--enable-static' '--with-openssl=/usr' '--with-gssapi=/usr'
>> '--with-gnu-ld' '--with-dlz-postgr

[Samba] tkey-gssapi-credential and bind (Samba4)

[Mauricio Tavares]

  So I am in step 10 of the samba4 howto
(https://wiki.samba.org/index.php/Samba4/HOWTO#Step_10_Configure_kerberos_DNS_dynamic_updates);
my bind9 is 9.7.3 which seems to be current enough for this. In it we
are to add

   tkey-gssapi-credential "DNS/samdom.example.com";
   tkey-domain "SAMDOM.EXAMPLE.COM";

to /etc/bind/named.conf.options. Since my test domain is
test.domain.com, I changed the above to

   tkey-gssapi-credential "DNS/test.domain.com";
   tkey-domain "TEST.DOMAIN.COM";

In the log file I have:

Jun 21 10:02:39 sambabox named[3302]: automatic empty zone: D.F.IP6.ARPA
Jun 21 10:02:39 sambabox named[3302]: automatic empty zone: 8.E.F.IP6.ARPA
Jun 21 10:02:39 sambabox named[3302]: automatic empty zone: 9.E.F.IP6.ARPA
Jun 21 10:02:39 sambabox named[3302]: automatic empty zone: A.E.F.IP6.ARPA
Jun 21 10:02:39 sambabox named[3302]: automatic empty zone: B.E.F.IP6.ARPA
Jun 21 10:02:39 sambabox named[3302]: automatic empty zone:
8.B.D.0.1.0.0.2.IP6.ARPA
Jun 21 10:02:39 sambabox named[3302]: configuring TKEY: failure
Jun 21 10:02:39 sambabox named[3302]: loading configuration: failure
Jun 21 10:02:39 sambabox named[3302]: exiting (due to fatal error)
Jun 21 10:02:50 sambabox named[3316]: starting BIND 9.7.3 -u bind
Jun 21 10:02:50 sambabox named[3316]: built with '--prefix=/usr'
'--mandir=/usr/share/man' '--infodir=/usr/share/info'
'--sysconfdir=/etc/bind' '--localstatedir=/var' '--enable-threads'
'--enable-largefile' '--with-libtool' '--enable-shared'
'--enable-static' '--with-openssl=/usr' '--with-gssapi=/usr'
'--with-gnu-ld' '--with-dlz-postgres=no' '--with-dlz-mysql=no'
'--with-dlz-bdb=yes' '--with-dlz-filesystem=yes' '--with-dlz-ldap=yes'
'--with-dlz-stub=yes' '--with-geoip=/usr' '--enable-ipv6'
'CFLAGS=-fno-strict-aliasing -DDIG_SIGCHASE -O2'
'LDFLAGS=-Wl,-Bsymbolic-functions' 'CPPFLAGS='

IMHO, just saying "TKEY:failure" is not very helpful. I did find out
the line bind does not seem to like is the first one,

tkey-gssapi-credential "DNS/test.domain.com";

This is an ubuntu 11.04 machine if this matters.
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

[Samba] Samba4 + Kerberos cross-realms + ldap

[Mauricio Tavares]

     Quick and easy question: I have a network which already has its
own kerberos + ldap servers running and I want to setup a samba4 box
as AD. So, from conversations here and on irc, the best thing to do is
to setup the samba4's built-in kerberos to do cross-realm
authentication with the other kerberos server. Now, how would those
crossed users look like in samba? Or, how would they be created in the
samba4 ldap so they would have, among other things, a local home
directory (or wherever the homedir; it just have to be in a place
samba can find, know what to do with it, and do it) which would the be
exported?
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] On Samba4

[Mauricio Tavares]

On Tue, Jun 7, 2011 at 10:56 AM,   wrote:
> Hi,
>
> I'd be most happy to answer any questions you may have, though fair warning:
> my version of Samba is kind of outdated (alpha 12), so what worked for me
> might not work for you.
>
  Well, I am ashamed to say I too am running right now alpha 12
because that is what came in ubuntu 10.10. So, hopefully I should be
able to duplicate your stuff ;)

> I'm not too familiar with offloading the DNS service to another computer; as
> you may have surmised, my setup has the DNS on the Samba server. I think the
> main thing about having a DNS server is getting it to accept updates from
> clients (dynamic DNS updates for browsing).
>
  Right now my "normal" DNS server can do the dynamic dns updates.
I am, however, wondering which other things I need to provide. For
instance, I would expect stuff like netbios-node-type and
netbios-name-servers can be provided by my current dhcp server without
hurting the samba4 AD behaviour. I could be wrong...

> I believe I am running a pure S4 setup; I recall that the S3+S4 thing
> confused me mightily at the beginning. I'd have to check to make sure
> though; how can I do this?
>
  Let me know because I too would like to know in my own setup.

> On Tue, Jun 7, 2011 at 10:35 PM, Mauricio Tavares wrote:
>
>> On Tue, Jun 7, 2011 at 5:04 AM,   wrote:
>> > Hi,
>> >
>> > I'm running Samba4 alpha 12 as the only DC and file server on my local
>> > network.
>> >
>> > It is working well. After the initial setup, everything can be managed
>> from
>> > a Windows workstation.
>> >
>> > Functions I've tried so far:
>> > - Group policy objects
>> > - Adding / removing users
>> > - Roaming profiles
>> > - DNS updates
>> >
>> > Essentially the main functions you would expect from a Win 2k3 server
>> will
>> > be there. It's been almost 10 months since I installed it, and it's been
>> > smooth sailing so far.
>> >
>> > Some features have been added / tweaked with the latest alpha 14, but I
>> have
>> > not kept up to date.
>> >
>>       What you have there is exactly all I want to do. I might need to
>> harass you for any details. My main question right now has to do with
>> DNS and DHCP: since the box is running bind, must it be the master for
>> that zone? After all, I already have a happy dns/dhcp server. Can I
>> get away making the samba4 box a slave bind box and just add the
>> relevant options (netbios-whatever) to my current dhcp?
>>
>> > On Mon, Jun 6, 2011 at 6:20 PM, Mauricio Tavares > >wrote:
>> >
>> >>        I keep hearing Samba 4 is not ready to be used. Can anyone
>> elaborate
>> >> on its current status?
>> >> --
>> >> To unsubscribe from this list go to the following URL and read the
>> >> instructions:  https://lists.samba.org/mailman/options/samba
>> >>
>> > --
>> > To unsubscribe from this list go to the following URL and read the
>> > instructions:  https://lists.samba.org/mailman/options/samba
>> >
>>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] On Samba4

[Mauricio Tavares]

On Tue, Jun 7, 2011 at 5:04 AM,   wrote:
> Hi,
>
> I'm running Samba4 alpha 12 as the only DC and file server on my local
> network.
>
> It is working well. After the initial setup, everything can be managed from
> a Windows workstation.
>
> Functions I've tried so far:
> - Group policy objects
> - Adding / removing users
> - Roaming profiles
> - DNS updates
>
> Essentially the main functions you would expect from a Win 2k3 server will
> be there. It's been almost 10 months since I installed it, and it's been
> smooth sailing so far.
>
> Some features have been added / tweaked with the latest alpha 14, but I have
> not kept up to date.
>
  What you have there is exactly all I want to do. I might need to
harass you for any details. My main question right now has to do with
DNS and DHCP: since the box is running bind, must it be the master for
that zone? After all, I already have a happy dns/dhcp server. Can I
get away making the samba4 box a slave bind box and just add the
relevant options (netbios-whatever) to my current dhcp?

> On Mon, Jun 6, 2011 at 6:20 PM, Mauricio Tavares wrote:
>
>>        I keep hearing Samba 4 is not ready to be used. Can anyone elaborate
>> on its current status?
>> --
>> To unsubscribe from this list go to the following URL and read the
>> instructions:  https://lists.samba.org/mailman/options/samba
>>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

[Samba] On Samba4

[Mauricio Tavares]

	I keep hearing Samba 4 is not ready to be used. Can anyone elaborate on 
its current status?

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Kerberos, Samba, and XP wanting to map local users with authenticated ones

[Mauricio Tavares]

On Fri, May 27, 2011 at 6:28 PM, Jeremy Allison  wrote:
> On Fri, May 27, 2011 at 04:56:25PM -0400, Mauricio Tavares wrote:
>> Ok, I understand if I only have kerberos and windows, if I login as a
>> kerberos user, I better have a local user mapped to it or I will not
>> be able to login. But, now I have samba involved. If I tell it about
>> kerberos server,
>>
>> workgroup = LAZYASS
>> realm = MY.REALM
>> security = ads
>> kerberos method = system keytab
>>
>> shouldn't it see there is local (to samba's server) user bob,
>> principal bob@MY.REALM, and then mount bob's homedir if I try to login
>> as bob? Or am I missing an important step? I did join the xp box to
>> LAZYASS and can see there the fileserver's home fileshare (the only
>> thing I am exporting). But that is as far as I get.
>>
>> The exact error message I am getting is
>>
>> "The system cannot log you on due to the following error:
>>
>> Mapping between account names and security IDs was done."
>>
>> It almost sounds like it is completely ignoring the samba side of the show.
>
> Do you have winbindd running ? You need this to generate
> the local UNIX userid's that Samba will use to represent
> Windows users.
>
 I dont seem to have it up and running:

[2011/05/31 16:13:04,  0]
winbindd/winbindd_cache.c:2578(initialize_winbindd_cache)
 initialize_winbindd_cache: clearing cache and re-creating with
version number 1
[2011/05/31 16:13:04,  0] winbindd/winbindd_util.c:782(init_domain_list)
 Could not fetch our SID - did we join?
[2011/05/31 16:13:04,  0] winbindd/winbindd.c:1399(main)
 unable to initialize domain list

How can't it join the domain if it is the PDC?
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

[Samba] Kerberos, Samba, and XP wanting to map local users with authenticated ones

[Mauricio Tavares]

Ok, I understand if I only have kerberos and windows, if I login as a
kerberos user, I better have a local user mapped to it or I will not
be able to login. But, now I have samba involved. If I tell it about
kerberos server,

workgroup = LAZYASS
realm = MY.REALM
security = ads
kerberos method = system keytab

shouldn't it see there is local (to samba's server) user bob,
principal bob@MY.REALM, and then mount bob's homedir if I try to login
as bob? Or am I missing an important step? I did join the xp box to
LAZYASS and can see there the fileserver's home fileshare (the only
thing I am exporting). But that is as far as I get.

The exact error message I am getting is

"The system cannot log you on due to the following error:

Mapping between account names and security IDs was done."

It almost sounds like it is completely ignoring the samba side of the show.
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

[Samba] FAQ: Mounting user homespace in a given drive letter

[Mauricio Tavares]

Is there a way to make the [homes] partitions to be 
automatically mounted (say, as the Z: drive) when the user logs in to 
the samba 3 domain using a win98 or a win2k box?

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

[Samba] samba 3.0.9 server is not seen in its workgroup

[Mauricio Tavares]

I am trying to put a Samba 3.0.9 (a Solaris 9 box) in a windows 
network where a W2000 machine is the main server/domain 
controller/whatever. All I want to do is to be able to have the machine 
seen in the workgroup; it can cheerfully ignore the windows users and 
use instead its own users (in smbpasswd and /etc/passwd).  This is what 
I have it set up as (and probably should be changed):

[global]
   workgroup = MCH
   server string = Yucca
   netbios name = yucca
   local master = yes
   os level = 33
   preferred master = yes
When I browse the MCH workgroup, yucca is not there. However, I have no 
problem mouting it by entering its address, as in, say, 
//yucca.somewhere.com/user. Can anyone see what I am doing wrong here?

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba