[Samba] member server and groups
I have a samba 3 member server joined to a samba pdc using ldap. Join is OK. Version is from debian wheezy: 3.6.6 With servers that are bdc's I have no problems with authentication, with the member server I cannot get group file permissions to work. User file permissions work fine Samba share user and group permissions work fine getent group shows expected groups with correct gid, which is an improvement on the 3.5.4 that I tried before. Only thing interesting the logs show is access denied. BUT if I change the dir/file permission to domain users group THEN it works. So I think samba is only looking up the primary group. I know there was bug like this somewhere around 3.6.0 Is "net idmap secret alloc" no longer needed? It responds with "The only currently supported backend is LDAP". smbpasswd -w seemed to do all I needed. Critical parts of my smb.conf I'm using the nss_ldap method with nss-ldapd security = domain workgroup = DOMAIN ldap admin dn = cn=System Administrator,ou=people,dc=domain,dc=com ldap suffix = dc=domain,dc=com ldap user suffix = ou=people ldap group suffix = ou=groups ldap idmap suffix = ou=idmap ldap machine suffix = ou=winstations,ou=systems ldap ssl = Off idmap config DOMAIN : backend = ldap idmap config DOMAIN : range= 8-99000 idmap config DOMAIN : ldap_url = ldap://my.ldap.serverl/ winbind use default domain = yes [comp] path = /home/shares/comp inherit permissions = yes public = no browsable = yes writeable = yes valid users = @computer Directory perms drwxrwx--- 19 root computer 4096 Jan 18 15:25 comp nsswitch.conf passwd: compat ldap group: compat ldap shadow: compat ldap hosts: files dns wins networks: files /etc/nslcd.conf # The user and group nslcd should run as. uid nslcd gid nslcd # The location at which the LDAP server(s) should be reachable. uri ldap://my.ldap.server/ # The search base that will be used for all queries. base dc=domain,dc=com # The LDAP protocol version to use. #ldap_version 3 # SSL options #ssl off #tls_reqcert never # The search scope. #scope sub -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] wbinfo ok, but getent nothing
On 2011/02/07 02:39 PM, Jean-Yves Avenard wrote: After wasting 2 days on this ; I removed 3.5.6 then installed 3.4.9... And getent passwd properly shows everything :( I had the same experience.. for me the problem is only on member servers, and only with getent group (getent passwd works) So something is broken in 3.5.6 All the 3.5.x versions in fact... -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] getent group fails on member server after upgrade to 3.5.5
I have a member server joined to a samba 3 domain. It was working fine with 3.4.8 but after an upgrade to 3.5.5 (debian lenny with backports) getent group no longer works. getent passwd works fine, wbinfo -u and wbinfo -g work fine I upgraded some other servers which are DC's and those work fine. winbind.log shows [2010/10/21 14:06:13.918006, 3] winbindd/winbindd_misc.c:352(winbindd_interface_version) [16709]: request interface version [2010/10/21 14:06:13.918103, 3] winbindd/winbindd_misc.c:385(winbindd_priv_pipe_dir) [16709]: request location of privileged pipe [2010/10/21 14:06:13.918288, 3] winbindd/winbindd_getgrent.c:51(winbindd_getgrent_send) [16709]: getgrent [2010/10/21 14:06:14.618332, 5] winbindd/winbindd_getgrent.c:149(winbindd_getgrent_recv) getgrent failed: NT_STATUS_NONE_MAPPED Relevant parts of smb.conf security = domain ldap ssl = Off idmap backend = ldap:ldap://170.130.105.39 idmap uid = 8-9 idmap gid = 8-9 idmap alloc backend = ldap idmap alloc config: ldap_url = ldap://170.130.105.39 idmap alloc config: ldap_base_dn = ou=idmap,dc=gibb,dc=co,dc=za idmap alloc config: ldap_user_dn = cn=admin,ou=people,dc=gibb,dc=co,dc=za idmap alloc config: range = 8-9 password server = * winbind enum groups = yes winbind enum users = yes Relevant part of nsswitch.conf passwd: compat winbind group: compat winbind shadow: compat hosts: files dns wins -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] samba 3.4.7 as NT4 domain member and win9x
On 2010/10/05 10:44 PM, Chris Weiss wrote: I can connect win9x using local accounts, just not domain accounts. the same domain accounts work from all other OS's, and on older Samba versions. I had a problem with a dos login to a domain account that worked with 3.2.x but not with 3.4.x and 3.5.x I worked out it was trying trying to connect to a local account and ignoring the workgroup/domain. I simply created a local account since that worked for me. I forced the group bit on the directory so the files were readable by others. But this may well be a bug. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] NT4 Migration
Quoting Dermot : sid S-1-5-21-1979685110-1467996072-351907979-500 does not belong to our domain sid S-1-5-21-1979685110-1467996072-351907979-2998 does not belong to our domain sid S-1-5-21-1979685110-1467996072-351907979-3010 does not belong to our domain Are you using idmap? I had this when the nextgid value in idmap went out of range for some bizarre reason. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] wbinfo_group.pl and spaces in group names
Hi, I;m using wbinfo_group.pl from samba 3.4.8 for squid ntlm authentication because I'm using multiple samba groups squid version is 2.7 from debian Lenny squid.conf contains: external_acl_type nt_group ttl=0 children=5 %LOGIN /usr/lib/squid/wbinfo_group.pl -d acl AuthorizedUsers proxy_auth REQUIRED acl internet external nt_group "/etc/squid/allowed-groups" http_access deny !internet Allowed groups contains LAWCO\Internet%20Users GIBB\Computer This tests fine from command line echo "lawco\\nprice lawco\\Internet%20users"|/usr/lib/squid/wbinfo_group.pl -d But from squid it does not work, it seems that squid escapes the escape. I changed wbinfo_group.pl foreach $group (@groups) { $group =~ s/%([0-9a-fA-F][0-9a-fA-F])/pack("c",hex($1))/eg; #this next line added by me $group =~ s/%20/ /; $ans = &check($user, $group); last if $ans eq "OK"; } Probably horrify perl purists but it works for me. Hope this helps someone. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Is "samba3_vscan" compiled anymore, by anyone?
On 2010/08/22 06:15 PM, Nico Kadel-Garcia wrote: I'm looking at the RPM's over at http://ftp.sernet.de/pub/samba/3.5/, and noticing that the "samba3-vscan" package is not being built for any OS. Is this deliberate? If so, perhaps it can be deleted from the SRPM? It no longer builds correctly for Samba v3.5, and is a years old virus scanning tool in any case. It's therefore probably unsuitable for virus scanning of any modern CIFS share. I haven't tried it yet but this looks like good candidate for replacing that package: http://svs.sourceforge.net/ -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] gecos?
This has always bothered me.. wtf does gecos mean (in the samba ldap)? -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Debian Lenny 3.5.3 packages pam-auth-update
I hope it is relevant to report this here. The debian lenny samba 3.5.3 packages at http://pkg-samba.alioth.debian.org have this problem: Setting up winbind (2:3.5.3~dfsg-1~unoff50+1) ... /var/lib/dpkg/info/winbind.postinst: line 16: pam-auth-update: command not found dpkg: error processing winbind (--configure): subprocess post-installation script returned error exit status 127 Errors were encountered while processing: winbind I presume pam-auth-update is not relevant to Lenny. So I modified /var/lib/dpkg/info/winbind.postinst and ran dpkg --configure --pending. Seems fine. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Winbind 3.5.2 caching issues under SLES11???
On 2010/04/23 10:58 PM, Chris Smith wrote: Don't know if it's related but on 2 systems with 3.5.2 I could not get the new idmap backend (moved from tdb to rid) to work without deleting the gencache* tdb's in addition to the winbind ones. I had the same problem on 3.4.7 moving from tdb to ldap. I also had get rid of nscd which for some reason Debian always installs with Samba. I was confused because everything would come right after a reboot. I thought that Samba is emulating Windows a little TOO closely! I wrote this little script while I was messing with different idmap options: #!/bin/sh # # stop samba, reset cache and restart /etc/init.d/winbind stop /etc/init.d/samba stop rm -f /var/run/samba/gencache.tdb rm -f /var/cache/samba/*.tdb /etc/init.d/samba start /etc/init.d/winbind start /etc/init.d/nslcd restart -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] samba as a trusting domain
I'm establishing a trust to an NT domain (a real NT domain with a real NT servers) I set up the trusting domain on the NT server then on the samba server # net rpc trustdom establish lawco Enter GIBB.LOCAL$'s password: Could not connect to server CAPETOWN-2 Trust to domain LAWCO established It seems to work, but I always get the "could not connect to server". Just curious. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] idmap with member servers
I'm using a member server joined to my primary domain. I'm using winbind because I have a trusted domain. both pdc and member server has idmap uid = 8-9 idmap gid = 8-9 idmap backend = ldap:ldap://my.pcd member server has security=domain password server = * (and no passdb line) nsswitch.conf on the member is passwd: compat winbind group: compat winbind shadow: compat Everything works great. Mappings are stored in idmap and I have consistent uids for the trusted domain on both the pdc and the member server. However mappings for the primary domain (that the server is a member of) on the member server are diifferent from the pdc of that domain because it creates new mappings in idmap in ldap. That means that all member servers will have consistent mappings for the primary domain and all bdcs will have consistent mappings but the 2 sets of mappings will not be the same. Is there any way I can make the 2 sets the same? Samba is 3.4.7. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba