[Samba] Going insane (can't logon from Windows)
I have Fedora Directory Server (1.0.4) running on a Red Hat Linux (RHEL 4) with Samba (3.0.10-1.4E.12.2). I have a Windows XP box that I have successfully joined to the domain. When I go to login with a domain user I get the following error: Windows cannot connect to the domain, either because the domain controller is down or otherwise unavailable, or because your computer account was not found. In the Windows system event log there is the following entry: Event Type:Error Event Source:NETLOGON Event Category:None Event ID:3210 Date:6/12/2007 Time:10:08:02 AM User:N/A Computer:WINXP-CLEAN Description: This computer could not authenticate with \\RHEL-CLEAN2, a Windows domain controller for domain MYDOMAIN, and therefore this computer might deny logon requests. This inability to authenticate might be caused by another computer on the same network using the same name or the password for this computer account is not recognized. If this message appears again, contact your system administrator. For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp . Data: : c022 The only thing in smb.log is: [2007/06/12 11:41:09, 0] lib/util_sock.c:get_peer_addr(1000) getpeername failed. Error was Transport endpoint is not connected The only thing in the machine's samba log is: [2007/06/12 11:41:09, 0] lib/util_sock.c:get_peer_addr(1000) getpeername failed. Error was Transport endpoint is not connected [2007/06/12 11:41:09, 0] lib/util_sock.c:write_socket_data(430) write_socket_data: write failure. Error = Connection reset by peer [2007/06/12 11:41:09, 0] lib/util_sock.c:write_socket(455) write_socket: Error writing 4 bytes to socket 24: ERRNO = Connection reset by peer [2007/06/12 11:41:09, 0] lib/util_sock.c:send_smb(647) Error writing 4 bytes to client. -1. (Connection reset by peer) There is nothing in the Fedora log near to when the workstation boots or the user tries to login. I can connect to a share on the server from the Windows computer, when logged in as a local user, using net view or entering the path directly (\\rhel-clean2\sharename\). I can ping the server from the workstation and vis-a-versa. I've explicitly added the workstation to the forward and reverse DNS zone files. The time of the server and workstation is less than 5 min apart. I have explicitly added the linux server as a WINS server on the Windows box (just in case). All of the Windows diagnostic test I have performed point to the machine's password being out of sync or various things about group policies for encryption and such. I tried turning off all of the related group policies with no effect. I am pulling my hair out trying to figure this out. Any and all help is appreciated. smb.conf is below. Thanks, -Mont [global] # workgroup = NT-Domain-Name or Workgroup-Name workgroup = mydomain # ldap settings passdb backend = ldapsam:ldap://mydomain.com:53911 ldap admin dn = cn=Directory Manager ldap suffix = dc=mydomain,dc=com ldap user suffix = ou=People ldap machine suffix = ou=Computers ldap group suffix = ou=Groups # PDC Settings domain logons = yes domain master = yes local master = yes preferred master = yes # Windows integration settings wins support = yes logon home = \\%L\%u\profiles logon path = \\%L\profiles\%u logon drive = H: add machine script = /usr/sbin/adduser -n -g machinetrust -c Machine -d /dev/null -s /bin/false %u # Log Settings log file = /var/log/%m.log log file = /var/log/samba/%m.log max log size = 50 # Misc Global Settings server string = FDS Server socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 os level = 33 time server = true hide files = /desktop.ini/ dns proxy = no # Security Settings security = user obey pam restrictions = yes encrypt passwords = yes password server = None restrict anonymous = 2 # Share Definitions == idmap uid = 16777216-33554431 idmap gid = 16777216-33554431 template shell = /bin/false winbind use default domain = no [netlogon] path = /var/lib/samba/netlogon read only = yes browsable = no [profiles] path = /var/lib/samba/profiles read only = no create mask = 0600 directory mask = 0700 browseable = no [homes] comment = Home Directories browseable = no writeable = yes [repository] path = /repository guest ok = yes writeable = yes browseable = yes create mask = 0600 directory mask = 0700 # Restrict access to only users in the following group(s) #valid users = @shortdomainname\group name -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] net drive mapping not working in login script
Do your user's home directories already exist? Then need to. Samba does not by defult auto-create them. If you want to auto-create them options include: 1) A preexec in the [homes] section 2) Create them as part of the add user script 3) Use pam_mkhomedir -Mont On 4/6/06, Chris Boyd [EMAIL PROTECTED] wrote: I've set the path for each user in pdbedit and created a login script with drive mapping etc etc The network drives aren't being mapped when I login each user: smb.conf [global] printcap name = cups cups options = raw map to guest = Bad User # include = /etc/samba/dhcp.conf logon path = \\%L\profiles\.msprofile logon home = \\%L\%U\.9xprofile logon drive = P: [protel] comment = Protel Data Folder path = /protel # drive = K: read only = no [netlogon] comment = Network Logon Service path = /var/lib/samba/netlogon write list = root admin users = root guest ok = Yes browseable = No pdbedit -L -v Unix username:aillin NT username: Account Flags:[U ] User SID: S-1-5-21-1439502771-4027299746-1242570080-3004 Primary Group SID:S-1-5-21-1439502771-4027299746-1242570080-513 Full Name:aillin Home Directory: \\ucd01\aillin\.9xprofile HomeDir Drive:P: Logon Script: \\ucd01\netlogon\aillin.bat Profile Path: \\ucd01\profiles\.msprofile Domain: UCD Account desc: Workstations: vim /vavr/lib/samba/netlogon/aillin.bat echo Setting Current Time... net time UCD01 /set /yes echo Mapping Network Drives to StressFree File Server UCD01... net use k: UCD01protel net use s: UCD01share #net use t: EXAMPLESERVERtemp Chris Boyd Systems Engineer USIT 19-21 Aston Quay Dublin 2 Ireland Tel: +353 1 6021670 Fax: +353 1 6771602 www.usit.ie - This email message is intended only for the addressee(s) and contains information that may be confidential and/or copyrighted. If you are not the intended recipient please notify the sender by reply email and immediately delete this email. Use, disclosure or reproduction of this email by anyone other than the intended recipient(s) is strictly prohibited. USIT has scanned this email for viruses and dangerous content and believes it to be clean. However, virus scanning is ultimately the responsibility of the recipient. - -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] net drive mapping not working in login script
I made a possibly bad assumption that Chris was adding users by some mechanism other than on the unix box, and therefore that the user's home directories had not been created. Still, your strong response seems to imply that even in this case there is some way to have the unix home directories auto-created. I've pored through the samba docs, googled, and asked questions. The three answers I found/got were those that I listed. If there is in fact a way to do this would you be so kind as to point me to the section of the doc that discusses it? I can't find it. Thanks, -Mont On 4/6/06, Craig White [EMAIL PROTECTED] wrote: On Thu, 2006-04-06 at 09:51 -0700, Mont Rothstein wrote: Do your user's home directories already exist? Then need to. Samba does not by defult auto-create them. If you want to auto-create them options include: 1) A preexec in the [homes] section shouldn't be necessary 2) Create them as part of the add user script shouldn't be necessary 3) Use pam_mkhomedir shouldn't be necessary Samba documentation covers this very clearly. A reference to the documentation would probably be better than the above advice. see Samba 3 Official HowTo http://www.samba.org/samba/docs FWIW - I see neither a [homes] or [profiles] share in your setup and I didn't see mention of the fact that you have 'joined' the Windows computers to the domains. Craig -Mont On 4/6/06, Chris Boyd [EMAIL PROTECTED] wrote: I've set the path for each user in pdbedit and created a login script with drive mapping etc etc The network drives aren't being mapped when I login each user: smb.conf [global] printcap name = cups cups options = raw map to guest = Bad User # include = /etc/samba/dhcp.conf logon path = \\%L\profiles\.msprofile logon home = \\%L\%U\.9xprofile logon drive = P: [protel] comment = Protel Data Folder path = /protel # drive = K: read only = no [netlogon] comment = Network Logon Service path = /var/lib/samba/netlogon write list = root admin users = root guest ok = Yes browseable = No pdbedit -L -v Unix username:aillin NT username: Account Flags:[U ] User SID: S-1-5-21-1439502771-4027299746-1242570080-3004 Primary Group SID:S-1-5-21-1439502771-4027299746-1242570080-513 Full Name:aillin Home Directory: \\ucd01\aillin\.9xprofile HomeDir Drive:P: Logon Script: \\ucd01\netlogon\aillin.bat Profile Path: \\ucd01\profiles\.msprofile Domain: UCD Account desc: Workstations: vim /vavr/lib/samba/netlogon/aillin.bat echo Setting Current Time... net time UCD01 /set /yes echo Mapping Network Drives to StressFree File Server UCD01... net use k: UCD01protel net use s: UCD01share #net use t: EXAMPLESERVERtemp Chris Boyd Systems Engineer USIT 19-21 Aston Quay Dublin 2 Ireland Tel: +353 1 6021670 Fax: +353 1 6771602 www.usit.ie - This email message is intended only for the addressee(s) and contains information that may be confidential and/or copyrighted. If you are not the intended recipient please notify the sender by reply email and immediately delete this email. Use, disclosure or reproduction of this email by anyone other than the intended recipient(s) is strictly prohibited. USIT has scanned this email for viruses and dangerous content and believes it to be clean. However, virus scanning is ultimately the responsibility of the recipient. - -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Automatically create profile directory
Thanks guys. Making the profiles directory world writeable did it! -Mont On 4/4/06, Steve Feehan [EMAIL PROTECTED] wrote: On 4/4/06, Mont Rothstein [EMAIL PROTECTED] wrote: I have my Samba PDC setup to use roaming profiles. If the user's profile directory exists (ex: /var/lib/samba/profiles/someuser) with the correct permissions and ownership then it works fine. However, I expect (incorrectly?) that Samba would auto-create the user's profile directory the first time the user logged in. Am I wrong or have I missed something? Thanks, -Mont -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba The parent directory has to be writable by the user since the profile directory is created with the privilege of that user. So something like: chmod 1777 /var/lib/samba/profiles Should be sufficient. Not pretty, but sufficient. -- Steve Feehan -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Automatically create profile directory
I have my Samba PDC setup to use roaming profiles. If the user's profile directory exists (ex: /var/lib/samba/profiles/someuser) with the correct permissions and ownership then it works fine. However, I expect (incorrectly?) that Samba would auto-create the user's profile directory the first time the user logged in. Am I wrong or have I missed something? Thanks, -Mont -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Problem creating Samba Admin account
I am trying to create a Samba Admin account in FDS as per the final steps of http://directory.fedora.redhat.com/wiki/Howto:Samba I've asked about this on the FDS mailing list with no luck, I am hoping someone here will be able to help me. I've created a file with contents: Administrator:x:0:0:Samba Admin:/root:/bin/bash I then ran: /usr/share/openldap/migration/migrate_passwd.pl /tmp/sambaAdmin /tmp/sambaAdmin.ldif but when I get to converting the ldif to ldap via: /opt/fedora-ds/slapd-server/ldif2ldap cn=Directory manager password /tmp/sambaAdmin.ldif I get the following error: adding new entry uid=Administrator,ou=People,dc=forayadams,dc=foray,dc=com ldap_add: Object class violation ldap_add: additional info: unknown object class kerberosSecurityObject As far as I know I haven't enabled kerberos anywhere. Does anyone know what I need to do to resolve this? Thanks, -Mont -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Re: getlocalsid: adding domain info...failed
I figured this out, in case anyone else comes across it. The problem was with the conversion of the samba schema. Fedora has a bug: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=170791 The conversion script pointed to by: http://directory.fedora.redhat.com/wiki/Howto:Samba is out-of-date. A newer version, that works around this bug can be found at: http://www.netauth.com/~jacksonm/ldap/ol-schema-migrate.pl -Mont On 3/7/06, Mont Rothstein [EMAIL PROTECTED] wrote: I am trying to integrate Fedora Directory Server (1.0.1) and Samba (3.0.10) on RHEL ES4. When I execute net getlocalsid I get the following: [2006/03/07 17:55:29, 0] lib/smbldap.c:smbldap_search_domain_info(1392) Adding domain info for WORKGROUP failed with NT_STATUS_UNSUCCESSFUL SID for domain RHELES4RS1 is: S-1-5-21-807157010-1821471989-4121009367 My workgroup is currently set to workgroup and I can perform an ldapsearch. I saw one refernce on the web to ignore this, but I was skeptical. What could be causing this error? The output of my testparm is below. Thanks, -Mont Load smb config files from /etc/samba/smb.conf Processing section [netlogon] Processing section [profiles] Processing section [homes] Processing section [printers] Processing section [repository] Processing section [root directory] Loaded services file OK. WARNING: You have some share names that are longer than 12 characters. These may not be accessible to some older clients. (Eg. Windows9x, WindowsMe, and smbclient prior to Samba 3.0.) Server role: ROLE_DOMAIN_PDC Press enter to see a dump of your service definitions # Global parameters [global] server string = rheles4rs1 password server = None passdb backend = ldapsam:ldap://rheles4rs1.forayadams.foray.com:3911 username map = /etc/samba/smbusers log file = /var/log/%m.log max log size = 50 socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 printcap name = /etc/printcap logon path = \\%L\profiles\%u logon drive = H: logon home = \\%L\%u\profiles domain logons = Yes os level = 33 preferred master = Yes domain master = Yes dns proxy = No wins support = Yes ldap admin dn = cn=Directory Manager ldap group suffix = ou=Groups ldap machine suffix = ou=Computers ldap suffix = dc=forayadams,dc=foray,dc=com ldap user suffix = ou=People idmap uid = 16777216-33554431 idmap gid = 16777216-33554431 cups options = raw [netlogon] path = /var/lib/samba/netlogon browseable = No [profiles] path = /var/lib/samba/profiles read only = No create mask = 0600 directory mask = 0700 [homes] comment = Home Directories read only = No browseable = No [printers] comment = All Printers path = /var/spool/samba printable = Yes browseable = No [repository] path = /repository valid users = testadmin, testuser read only = No -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] getlocalsid error
Thanks for the slap upside the head, my ability to query via the command line is definitely broken. I'd gotten console access working and forgotten to check that. Also, just so you don't think I'm a complete fool, the root share was only in there because I'm testing (this is all in a VM). Off to figure out why ldapsearch isn't working. Thanks, -Mont On 3/6/06, Craig White [EMAIL PROTECTED] wrote: On Mon, 2006-03-06 at 17:13 -0800, Mont Rothstein wrote: I am trying to integrate Samba version is 3.0.10 with Fedora Directory Server (1.0.1) on RHEL 4. I am attempting to follow: http://directory.fedora.redhat.com/wiki/Howto:Samba but I am getting an error with net getlocalsid. The output is: [2006/03/06 10:00:21, 0] lib/smbldap.c:smbldap_connect_system(850) failed to bind to server with dn= cn=Directory Manager Error: Can't contact LDAP server (unknown) [2006/03/06 10:00:21, 0] lib/smbldap.c:smbldap_search_suffix(1155) smbldap_search_suffix: Problem during the LDAP search: (unknown) (Timed out) SID for domain RHELES4RS1 is: S-1-5-21-807157010-1821471989-4121009367 While I get a SID I assume I should not proceed with these errors. I've gone over my config I can't find my error. I've searched online and can't find anything. The full ouput of testparm is below. Any ideas as to what I've done wrong? We're sort of lacking confirmation that you can actually query the LDAP server including binding as cn=Directory Manager from the command line. There's no reason to believe at this point that the problem is Samba Craig ps - I would heavily recommend against sharing your /root directory via samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] getlocalsid: adding domain info...failed
I am trying to integrate Fedora Directory Server (1.0.1) and Samba (3.0.10) on RHEL ES4. When I execute net getlocalsid I get the following: [2006/03/07 17:55:29, 0] lib/smbldap.c:smbldap_search_domain_info(1392) Adding domain info for WORKGROUP failed with NT_STATUS_UNSUCCESSFUL SID for domain RHELES4RS1 is: S-1-5-21-807157010-1821471989-4121009367 My workgroup is currently set to workgroup and I can perform an ldapsearch. I saw one refernce on the web to ignore this, but I was skeptical. What could be causing this error? The output of my testparm is below. Thanks, -Mont Load smb config files from /etc/samba/smb.conf Processing section [netlogon] Processing section [profiles] Processing section [homes] Processing section [printers] Processing section [repository] Processing section [root directory] Loaded services file OK. WARNING: You have some share names that are longer than 12 characters. These may not be accessible to some older clients. (Eg. Windows9x, WindowsMe, and smbclient prior to Samba 3.0.) Server role: ROLE_DOMAIN_PDC Press enter to see a dump of your service definitions # Global parameters [global] server string = rheles4rs1 password server = None passdb backend = ldapsam:ldap://rheles4rs1.forayadams.foray.com:3911 username map = /etc/samba/smbusers log file = /var/log/%m.log max log size = 50 socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 printcap name = /etc/printcap logon path = \\%L\profiles\%u logon drive = H: logon home = \\%L\%u\profiles domain logons = Yes os level = 33 preferred master = Yes domain master = Yes dns proxy = No wins support = Yes ldap admin dn = cn=Directory Manager ldap group suffix = ou=Groups ldap machine suffix = ou=Computers ldap suffix = dc=forayadams,dc=foray,dc=com ldap user suffix = ou=People idmap uid = 16777216-33554431 idmap gid = 16777216-33554431 cups options = raw [netlogon] path = /var/lib/samba/netlogon browseable = No [profiles] path = /var/lib/samba/profiles read only = No create mask = 0600 directory mask = 0700 [homes] comment = Home Directories read only = No browseable = No [printers] comment = All Printers path = /var/spool/samba printable = Yes browseable = No [repository] path = /repository valid users = testadmin, testuser read only = No -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] getlocalsid error
I am trying to integrate Samba version is 3.0.10 with Fedora Directory Server (1.0.1) on RHEL 4. I am attempting to follow: http://directory.fedora.redhat.com/wiki/Howto:Samba but I am getting an error with net getlocalsid. The output is: [2006/03/06 10:00:21, 0] lib/smbldap.c:smbldap_connect_system(850) failed to bind to server with dn= cn=Directory Manager Error: Can't contact LDAP server (unknown) [2006/03/06 10:00:21, 0] lib/smbldap.c:smbldap_search_suffix(1155) smbldap_search_suffix: Problem during the LDAP search: (unknown) (Timed out) SID for domain RHELES4RS1 is: S-1-5-21-807157010-1821471989-4121009367 While I get a SID I assume I should not proceed with these errors. I've gone over my config I can't find my error. I've searched online and can't find anything. The full ouput of testparm is below. Any ideas as to what I've done wrong? Thanks, -Mont Load smb config files from /etc/samba/smb.conf Processing section [netlogon] Processing section [profiles] Processing section [homes] Processing section [printers] Processing section [repository] Processing section [root directory] Loaded services file OK. WARNING: You have some share names that are longer than 12 characters. These may not be accessible to some older clients. (Eg. Windows9x, WindowsMe, and smbclient prior to Samba 3.0.) Server role: ROLE_DOMAIN_PDC Press enter to see a dump of your service definitions # Global parameters [global] server string = rheles4rs1 password server = None passdb backend = ldapsam:ldap://rheles4rs1.forayadams.foray.com username map = /etc/samba/smbusers log file = /var/log/%m.log max log size = 50 socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 printcap name = /etc/printcap logon path = \\%L\profiles\%u logon drive = H: logon home = \\%L\%u\profiles domain logons = Yes os level = 33 preferred master = Yes domain master = Yes dns proxy = No wins support = Yes ldap admin dn = cn=Directory Manager ldap group suffix = ou=Groups ldap machine suffix = ou=Computers ldap suffix = dc=forayadams,dc=foray,dc=com ldap user suffix = ou=People idmap uid = 16777216-33554431 idmap gid = 16777216-33554431 cups options = raw [netlogon] path = /var/lib/samba/netlogon browseable = No [profiles] path = /var/lib/samba/profiles read only = No create mask = 0600 directory mask = 0700 [homes] comment = Home Directories read only = No browseable = No [printers] comment = All Printers path = /var/spool/samba printable = Yes browseable = No [repository] path = /repository valid users = testadmin, testuser read only = No [root directory] path = / valid users = mont read only = No -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Windows admin, anything special?
I apologize for re-posting, but I am stuck. Has anyone connected from a Windows XP admin account to a Samba server? Did you have to do anything special? All of my other users work but not my admin account. Thanks, -Mont -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Windows admin, anything special?
What I missed, and I'm not sure if it is in the docs or simply the nature of my distro (RHEL ES 4), is that smbusers has a default entry of root = administrator admin This doesn't show up in the system-config-admin UI. I don't want admin to be root, so I had created a Unix account named administrator and given in the samba/windows name of admin. Thanks for asking. If there isn't anything in the official docs about this perhaps a warning somewhere? -Mont On 12/14/05, John H Terpstra [EMAIL PROTECTED] wrote: On Wednesday 14 December 2005 09:54, Mont Rothstein wrote: I apologize for re-posting, but I am stuck. Has anyone connected from a Windows XP admin account to a Samba server? Did you have to do anything special? All of my other users work but not my admin account. Have you read any of the official Samba documentation? http://www.samba.org/samba/docs/ If you have, what parts do not make sense to you? - John T. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Windows admin user different?
Is there anything different about connecting a Windows XP admin user to a Samba server? By this I mean the actual administrator/admin user account, not simply a user in the admin group. I have two different Samba servers where I have created an administrator unix account and an admin Samba user account. I also tried using Administrator and administrator for the account name. No matter what I do I can't get the admin user to successfully connect. It works fine with all of my other Windows XP users. Thanks, -Mont -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Re: Windows-LDAP-Samba
Thank you for that description, that helps a lot. I just recently stumbled across authconfig which I think edits nsswitch.conf . From your description it sounds like I probably don't need pGina ( http://pgina.xpasystems.com/). I came across some references that lead me to believe that it would be necessary on the Windows client for this to work. Do you agree that pGina should not be necessary? Thanks again, -Mont On 11/16/05, paul kölle [EMAIL PROTECTED] wrote: Mont Rothstein wrote: I am hoping someone can tell me if I am trying something that can't be done. Well, if I understood you corretly I'll say yes ;) Don't make it harder than it is, there are only three parties involved 1) Windows (the client) 2) Samba (app server) 3) LDAP (authentication backend) Windows never talks directly to LDAP (at least not in this scenario), it always contacts samba, PDC or not. So the windows box asks samba hey, I want to write to your disk... and samba, being a sensitive piece of software insists: Wait a minute, tell me who you are and prove this somehow, then I'll ask my backend if it knows you and if your proof holds true, The stupid windows client, not knowing that he speaks to the glory UNIX world sends its usual credentials, a string like MYWORSTATION\joe and a secret hash. Now samba looks for a UNIX user joe via the normal system calls used on unix and in its configured backend for the hash and all the other pieces needed in the windows world and not present on a normal unix system account. Samba absolutely DOES NOT CARE where the unix NAMES (+uid,gid) come from. They need to be known to the system where samba is installed, period. Fortunately, linux/unix has quite a few sources where names may come from. This is abstracted through the NSS interface and implemented by shared libraries whose names happen to be libnss_servicename.so. If you have a line like: passwd: files ldap in your /etc/nsswitch.conf, the system will ask libnss_files.so and libnss_ldap.so for the names and numbers commonly known as accounts. In your case, you want to enable/disable/setup users in LDAP only. All you have to do is: 1. Instruct your system to fetch unix NAMES from ldap (nss_ldap). 2. Instruct samba to fetch the windows bits from ldap (passdb backend). couldn't stress this point of common misconception less, sorry. Paul -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Windows-LDAP-Samba
I am hoping someone can tell me if I am trying something that can't be done. What I would like to be able to do is setup a Linux file server that Windows users can use, including the use of ACLs. AFIK this should not be a problem. The way I would like to go about doing this is what may be a problem. I would like to be able to add a user to the Directory Server (Fedora) and only via interaction with the Directory Server enable the user to access the Linux file server via Samba. The Samba server would simply be a file server, not a PDC. Everything I have found thus far seems to require that I manually create a Unix account for each user, and then add the Unix user to Samba and LDAP. Is the way I want to do this not possible, or am I simply reading the wrong docs/being a foolish noobie? I should also note that I am not tied to Fedora Directory Server if OpenLDAP can do this but Fedora can't. If anyone can confirm that I can/can not do what I want I would greatly appreciate it. Thanks, -Mont -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Windows-LDAP-Samba
Sorry for being so vague, I was tring not to be :-) I actually dived in days ago and I am swiming in docs, books, manuals, and webpages. Part of my challenge is that I'm not ever sure of what questions to ask. Jeff's reply has helped (thanks Jeff). Looking up ldap authentication has brought me to pages I hadn't seen yet. I'm not sure which ones I want yet, but it is a start. I wish are had specific technical questions to ask, I really do. I have an LDAP server up and running as well as Samba. The two may or may not be integrated correctly together. I believe my next step is to get a windows machine to authenticate to the Linux server via LDAP, without having to create a Unix account for the user. The step after that will be to see if ACLs work. If/when I get those two then I think I'll have what I need. If you know any good pages on authenticting a windows client to a non-PDC Linux Directory Server, I would love to see them. Thank you for taking the time to ponder my troubles. -Mont On 11/15/05, Craig White [EMAIL PROTECTED] wrote: On Tue, 2005-11-15 at 12:23 -0800, Mont Rothstein wrote: I am hoping someone can tell me if I am trying something that can't be done. What I would like to be able to do is setup a Linux file server that Windows users can use, including the use of ACLs. AFIK this should not be a problem. The way I would like to go about doing this is what may be a problem. I would like to be able to add a user to the Directory Server (Fedora) and only via interaction with the Directory Server enable the user to access the Linux file server via Samba. The Samba server would simply be a file server, not a PDC. Everything I have found thus far seems to require that I manually create a Unix account for each user, and then add the Unix user to Samba and LDAP. Is the way I want to do this not possible, or am I simply reading the wrong docs/being a foolish noobie? I should also note that I am not tied to Fedora Directory Server if OpenLDAP can do this but Fedora can't. If anyone can confirm that I can/can not do what I want I would greatly appreciate it. You make it really difficult to answer this because your questions focus only on the Posix side and what we are dealing with is Windows authentication and access to resources and obviously we need to account for Windows expectations for the Windows client to have a usable experience. LDAP can be a bunch of different things because it is a piece of putty to be shaped however you choose - the various implementations may or may not be limiting factors. Samba's expectations is that it ties a Windows authentication (generally a password hash and SID) to a Posix Account (a shell valid or not and a home directory) and the combination is used to evaluate access to resources. The beauty of open source is that the tools are there for you to modify as you see fit but you must always keep in mind that it's easier to swim in the direction of the tides. If your question is Fedora Directory Server or openldap, I simply can't answer that because I only have used openldap - perhaps some others can. I can tell you that for the most part, data can be migrated between the two (possibly with some editing but knowledge of perl/sed etc. can make that a much easier task) and that the knowledge of one ldap server will certainly leverage against learning the other. The only way for you to actually answer your question is to jump in because your question is a bit too general on all things windows and all things ldap to give you a specific answer. Craig -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
