RE: [Samba] modify permissions fail on new file server.
Do you know if Veritas has ACL support on their file system? I have to admit that I'm not familiar with Solaris ACL implementation (I don't know if it's POSIX). However, the crux of the matter is, firstly, can you set ACLs (may use the getfacl and setfacl or other commands on Solaris) to something outside the traditional user, group, other permissions UNIX defines and see them in the Windows security tab? If not, the only thing I've ever been able to do from the Windows ACL editor is to change permissions on the entries already listed there, because with no ACL support that's all the permissions UNIX can handle. Clint > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On > Behalf Of Greg > Sent: Wednesday, December 31, 2003 4:36 PM > To: [EMAIL PROTECTED] > Subject: [Samba] modify permissions fail on new file server. > > > Hello, > > I'm using winbindd with samba 3.0.1. Everything starts up as > expected > and tests return the expected results (wbinfo and getent). Files > created via windows clients are create with the proper ownership and > group membership. When I attempt to modify the permissions via the > windows security tab (add another group, change ownership for > example) > I'll get a win pop up saying 'permission denied" and the > below out put > will be wrote out to the machine.log. From a unix shell I can change > perms over NFS. > > > fetch uid from cache 3041 -> > S-1-5-21-861567501-1262210171-1417111838-1275 > [2003/12/31 16:46:07, 3] smbd/dosmode.c:unix_mode(110) > unix_mode(VFX/greg-test/foo) returning 0744 > [2003/12/31 16:46:07, 2] smbd/posix_acls.c:set_canon_ace_list(2414) > set_canon_ace_list: sys_acl_set_file type file failed for file > VFX/greg-test/foo (Operation not supported). > [2003/12/31 16:46:07, 3] > smbd/posix_acls.c:convert_canon_ace_to_posix_perms(2499) > convert_canon_ace_to_posix_perms: Too many ACE entries for file > VFX/greg-test/foo to convert to posix perms. > [2003/12/31 16:46:07, 3] smbd/posix_acls.c:set_nt_acl(3140) > set_nt_acl: failed to convert file acl to posix permissions > for file > VFX/greg-test/foo. > [2003/12/31 16:46:07, 3] smbd/error.c:error_packet(94) > error string = Operation not supported > > > As the file appears from UNIX: > drwxr-xr-x2 greg Domain Users 96 Dec 31 16:29 foo > The dir this is in has a mode of 777 and is owned by 'greg'. > > Samba was built with: > configure --with-ads --with-pam --with-winbind-auth-challenge > --with-acl-support --with-winbind --prefix=/opt/samba > > The physical setup is as such: > W2kCLIENTS<---smb--->SAMBA-SERVER<---nfs--->NFS-SERVER===DISKARRAY > > SAMBA-SERVER has 2 interfaces on it, one samba listens on, > the other > is used for NFS traffic. > NFS-SERVER has the physical drives attached to it, using veritas > cluster file system version 3.x > SAMBA-SERVER mounts the drives under /n/fire/array. this is also > defined within smb.conf. > > My question: Why can I not change ACL's on the file system? > Is there > something I can do to correct this? > I see it mentions to many ACE entries to convert to posix, I used a > local XFS file system a while ago and > things seemed to work as expected, but this is no longer an option. > > Thanks for your input, > greg > > > smb.conf: > > [global] > workgroup = CDP > server string = Render Services %v > security = DOMAIN > interfaces = eth0 > encrypt passwords = Yes > log level = 1 > log file = /opt/samba/log/%m.log > max log size = 1000 > socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 > os level = 23 > preferred master = No > local master = No > domain master = No > dns proxy = No > idmap uid = 3000-4000 > idmap gid = 3000-4000 > winbind use default domain = Yes > admin users = @systems > hosts allow = 172.16.92., 172.16.93., 172.16.94., > 172.16.95., 127. > map acl inherit = Yes > # since we have 2Gs of memory, lets see how this works out. -greg > write cache size = 1048576 > winbind cache time = 300 > template homedir = /home/winnt/%D/%U > template shell = /bin/tcsh > > > [array] > path = /n/fire/array > read only = No > guest ok = Yes > > mount: > > fire:/export/array1 on /n/fire/array type nfs > (rw,bg,vers=3,soft,intr,addr=172.16.92.90) > fire:/export/array2 on /n/fire/array/VFX type nfs > (rw,bg,vers=3,soft,intr,addr=172.16.92.90) > > > Versions: > SAMBA-SERVER > Samba 3.0.1 > kernel 2.4.23-xfs > NFS-SERVER: > Solaris9 12-03 sparc > Veritas 3.5 > Clients: > NT2k w/ 500 patches. > > > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: http://lists.samba.org/mailman/listinfo/samba > -- To unsubscribe from this list go to the following URL and read the instructions: h
RE: [Samba] Slow logoff
You have roaming profiles turned on. Set: logon path = (yes that's nothing after the =) in your smb.conf if you don't need roaming profiles. Clint > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On > Behalf Of [EMAIL PROTECTED] > Sent: Tuesday, December 30, 2003 12:53 PM > To: [EMAIL PROTECTED] > Subject: [Samba] Slow logoff > > > I am running Samba 2.2.8a. My XP and 2000 boxes take a long > time to log off. They appear to be saving profiles. The > Windows 98 and XP/2000 workgroup boxes log off quick as a > bunny. It the slow log off because XP/2000 domain members > must push all their settings to the Samba server or is there > a problem with my Samba installations? I have three discrete > Samba networks that all exhibit the same performance problems. -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
RE: [Samba] Changing password from windows
The passwd program it is is expecting is a program which modifies your UNIX password. Smbpasswd modifies your samba password. Try setting the following: passwd program = /usr/bin/passwd %u passwd chat = *New*UNIX*password* %n\n *ReType*new*UNIX*password* %n\n *passwd:*all*authentication*tokens*updated*successfully* Clint > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On > Behalf Of [EMAIL PROTECTED] > Sent: Tuesday, December 30, 2003 9:12 AM > To: [EMAIL PROTECTED] > Subject: [Samba] Changing password from windows > > > Hi all! > I had some problem with LDAP, so I setup a Samba PDC without > LDAP and then I > migrate it to LDAP. > Before that, all worked fine, changing password from Windows > too. But now, a > popup in windows says "username or old password incorrect. > Password is case > sensitive" (it's not the exact sentence for you since I > translated it from my > language) and I got this error in log: > sambaPwdCanChange: value #0 already exists > But the password is REALLY changed and the sync is OK! > --> I got an error message but the command succeeded... > > When I did it in a shell, I got no error... > > Here is smb.conf: > --- BEGIN SMB.CONF --- > [global] > netbios name = PDCLINUX > workgroup = TESTDOMAIN > server string = TestCenter > comment = Controleur de Domaine > time server = yes > > passdb backend = ldapsam:ldap://ldap.mydomain.com > > encrypt passwords = yes > security = user > preferred master = yes > domain master = yes > local master = yes > domain logons = yes > wins support = yes > os level = 80 > hosts allow = 192.168.0. 127. > > # LDAP > ldap admin dn = "cn=Manager,dc=mydomain,dc=com" > ldap ssl = off > ldap delete dn = no > ldap user suffix = ou=People > ldap group suffix = ou=Groups > ldap machine suffix = ou=Computers > ldap suffix = dc=mydomain,dc=com > ldap passwd sync = yes > unix password sync = yes > > log level = 256 > log file = /var/samba/log/%U.log > passwd chat debug = yes > passwd program = /usr/local/samba/bin/smbpasswd %u > passwd chat = *ew*password* %n\n *ew*password* %n\n > > socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 > > logon path = \\pdc.mydomain.com\profiles\%U > logon drive = H: > logon home = \\pdc.mydomain.com\%U > logon script = %U.bat > > add machine script = /usr/sbin/useradd -d /dev/null -g > machines - s /bin/false -c %U%I %U > > [homes] > comment = Home Directory > guest ok = no > read only = no > create mask = 0664 > directory mask = 0775 > > [netlogon] > comment = Network Logon Service > path = /var/samba/netlogon > read only = yes > guest ok = yes > share modes = no > root preexec = /var/samba/netlogon/login.pl %U %G %L > browseable = no > --- END SMB.CONF --- > > And here the log: > --- BEGIN LOG --- > [2003/12/30 15:43:49, 10] smbd/chgpasswd.c:dochild(217) > Invoking '/usr/local/samba/bin/smbpasswd testuser' as > password change program. [2003/12/30 15:43:49, 10] > lib/util_sock.c:read_socket_with_timeout(263) > read_socket_with_timeout: timeout read. select timed out. > [2003/12/30 15:43:49, 100] smbd/chgpasswd.c:expect(274) > expect: expected [*ew*password*] received [New SMB > password:] match yes [2003/12/30 15:43:49, 10] > smbd/chgpasswd.c:expect(285) > expect: returning True > [2003/12/30 15:43:49, 100] smbd/chgpasswd.c:expect(237) > expect: sending [testuser > ] > [2003/12/30 15:43:49, 10] > lib/util_sock.c:read_socket_with_timeout(263) > read_socket_with_timeout: timeout read. select timed out. > [2003/12/30 15:43:49, 100] smbd/chgpasswd.c:expect(274) > expect: expected [*ew*password*] received [ > Retype new SMB password:] match yes > [2003/12/30 15:43:49, 10] smbd/chgpasswd.c:expect(285) > expect: returning True > [2003/12/30 15:43:49, 100] smbd/chgpasswd.c:expect(237) > expect: sending [testuser > ] > [2003/12/30 15:43:49, 3] smbd/chgpasswd.c:chat_with_program(438) > Password change successful for user testuser > [2003/12/30 15:43:49, 11] passdb/pdb_get_set.c:pdb_set_init_flags(482) > element 32 -> now CHANGED > [2003/12/30 15:43:49, 11] passdb/pdb_get_set.c:pdb_set_init_flags(482) > element 31 -> now CHANGED > [2003/12/30 15:43:49, 11] passdb/pdb_get_set.c:pdb_set_init_flags(482) > element 10 -> now CHANGED > [2003/12/30 15:43:49, 11] passdb/pdb_get_set.c:pdb_set_init_flags(482) > element 20 -> now CHANGED > [2003/12/30 15:43:49, 10] lib/account_pol.c:account_policy_get(134) > account_policy_get: maximum password age:-1 > [2003/12/30 15:43:49, 11] passdb/pdb_get_set.c:pdb_set_init_flags(482) > element 9 -> now CHANGED > [2003/12/30 15:43:49, 10] lib/account_pol.c:account_policy_get(134) > account_policy_get: minimum password age:0 > [2003/12/30 15:43:49, 11] passdb/pdb_get_set.c:pdb_set_init_flags(482) > element 8 -> now CHANGED > [2003/12/30 15:43:49, 4] > passdb/pdb_ldap.c:ldapsam_update_sam_account(1370) >
RE: [Samba] printing problem from Windows 98 - samba 3.0.1
2000/XP and Win 98/ME use different printer drivers. Have you installed drivers for Win98/ME to your print$ share as well? Clint > -Original Message- > > Hi List, > > (PS: I am not signed to list, please CC a mail to > [EMAIL PROTECTED] ). > >I am using samba 3.0.1 as a primary domain > controller with LDAP. I am able to do file sharing > very well with user wise restriction. The problem is > with printer. >I have a HP1200 printer for which i have to do JOB > accounting. All the jobs will be queued through samba. I have > done setup so that the machine (named > "printserver") to which printer is attached doesn't > allow other machines to directly print, it allows only > samba (named "pragatee") machine to print. So all the > workstations will queue their print jobs to samba. >Now when a workstation joins samba domain, they can > share files. I have added print$ share so workstation > can download adobeps4.drv and related files directly. > But when i configure printer on Win98 workstation and > go to the properties applet of that printer, i get > rundll32 error related to adobeps4.drv. The same thing > works perfectly with Win2k/WinXp clients with > cupsdrvr.dll and stuff. >Has anyone faced this kind of problem before? This > problem has been listed in threads, but no replies > were given. If anyone wants to see complete error log, > i will mail that. Sorry for such a huge mail. I am > scratching my head for last 2 days. :-( > > Error log is as following : > -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
RE: [Samba] Plaintext_password returned NULL
Windows NT SP3 and above as well as Win98 and above expect encrypted passwords by default. Setting encrypted passwords = yes in your smb.conf I believe will eliminate the error (although I've never seen the error so I'm just guessing). Clint > -Original Message- > Hi all, > > I am sharing a directory by using SAMBA Ver. 2.2.3a on a > HP-UX 11.11 for MS XP-Clients. Allthough conntecting works > fine, I get the follwing log entry everytime a client connects: > > [2003/12/30 10:11:02, 0] smbd/chgpasswd.c:(939) > check_plaintext_password: getsmbpwnam returned NULL > > smb.conf looks as follows: > > # Global parameters > [global] > coding system = > client code page = 850 > code page directory = /etc/opt/samba/codepages > workgroup = WORK > netbios name = SVXYZ.INTRANET.LAN.CH > netbios aliases = > netbios scope = > server string = %h > interfaces = > bind interfaces only = No > security = SHARE > encrypt passwords = No > update encrypted = No > allow trusted domains = Yes > hosts equiv = > min passwd length = 5 > map to guest = Never > null passwords = No > obey pam restrictions = No > password server = > smb passwd file = /etc/opt/samba/smbpasswd > root directory = / > pam password change = No > passwd program = /bin/passwd > passwd chat = *new*password* %n\n *new*password* %n\n *changed* > passwd chat debug = Yes > username map = /etc/opt/samba/username.map > password level = 0 > username level = 0 > unix password sync = No > restrict anonymous = No > lanman auth = Yes > use rhosts = No > log level = 0 > syslog = 1 > syslog only = No > log file = /var/adm/samba/log.%m > max log size = 1000 > timestamp logs = Yes > debug hires timestamp = No > debug pid = No > debug uid = No > protocol = NT1 > large readwrite = No > max protocol = NT1 > min protocol = CORE > read bmpx = No > read raw = Yes > write raw = Yes > nt smb support = Yes > nt pipe support = Yes > announce version = 4.5 > announce as = NT > max mux = 50 > max xmit = 65535 > name resolve order = host bcast > max packet = 65535 > max ttl = 259200 > max wins ttl = 518400 > min wins ttl = 21600 > time server = No > unix extensions = Yes > change notify timeout = 60 > deadtime = 0 > getwd cache = Yes > keepalive = 300 > lpq cache time = 10 > max smbd processes = 0 > max disk size = 0 > max open files = 1 > read size = 16384 > socket options = > stat cache size = 50 > use mmap = No > total print jobs = 0 > load printers = No > printcap name = lpstat > disable spoolss = No > enumports command = > addprinter command = > deleteprinter command = > show add printer wizard = No > os2 driver map = > strip dot = No > character set = > mangled stack = 50 > stat cache = Yes > domain admin group = > domain guest group = > groupname map = /etc/opt/samba/groupname.map > machine password timeout = 604800 > add user script = > delete user script = > logon script = > logon path = \\%N\%U\profile > logon drive = > logon home = \\%N\%U > domain logons = No > os level = 0 > lm announce = False > lm interval = 60 > preferred master = False > local master = No > domain master = False > browse list = Yes > enhanced browsing = Yes > dns proxy = No > wins proxy = No > wins server = > wins support = No > wins hook = > kernel oplocks = Yes > oplock break wait time = 0 > add share command = > change share command = > delete share command = > config file = > preload = > lock dir = /var/opt/samba/locks > default service = > message command = > dfree command = > valid chars = > remote announce = > remote browse sync = > socket address = 0.0.0.0 > homedir map = > time offset = 0 > NIS homedir = No > source environment = > panic action = > hide local users = No > host msdfs = No > winbind uid = > winbind gid = > template homedir = /home/%D/%U > template shell = /bin/false > winbind separator = \ > winbind cache time = 15 > winbind enum users = Yes > winbind enum groups = Yes > comment = > path = > alternate permissions = No > username = > guest account = hypxyz > invalid users = > valid users = > admin users = > read list = > write list
RE: [Samba] Slow browsing through Windows Explorer
> -Original Message- > > Clint, > > > > > We may have different problems. You were doing this w/o > the folders > > bar in Windows Explorer right? > > Not sure what you mean here. I'm just in explore mode of > Windows Explorer. > In windows explorer, under View->Explorer Bar->Folders, is this checked? If so, uncheck it and go to the server via \\servername\share again and see if takes a long time still. This will tell you if it's a browsing related issue, as with the folders explorer bar open, it's attempting to build a browse list for the workgroup. > > > > > Also, these machines are in a workgroup setting? Is your > machine on a > > domain or in the same workgroup? > > I'm on a domain, I have another box RedHat (LINK) that is my > PDC. Which is working when the XP Client logs in, it has a > netlogon share which maps the > H: and the Y: drives to Morpheus and Unreal respectivly. > > > Have you done an nmblookup -M -- - or > > findsmb to determine which machine is your master browser? > > No, I think this is a good place to start. I did restart > Samba on Morpheus and bumped up the log level to 2 and now > I'm getting this. > > > [2003/12/29 15:27:44, 2] > nmbd/nmbd_nameregister.c:register_name_timeout_response(199) > register_name_timeout_response: WINS server at address > 10.11.86.17 is not responding. > > > > 10.11.86.17 is LINK which is my PDC that I've also told to be > a wins server in the smb.conf file. > > Make sure on the machine you think is your WINS Server you set wins support = yes instead of wins server = yes, as the wins server is the parameter for telling a machine which IP to query for WINS. I have a feeling this is setup wrong which is why you're having a problem browsing and thus it's slow in Windows. Clint > > This sounds > > like a browsing related issue, and you have to have a > reachable master > > browser for the workgroup/domain of the machine you're > attempting to > > connect to so that Windows can pull the browse list, > otherwise it'll > > take forever before timing out. Maybe someone else here has more > > experience at this than I do, but that's what it seems like to me. > > > > Clint -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
RE: [Samba] Slow browsing through Windows Explorer
Curtis, I have similar problems when not joined to a domain browsing Windows shares as well. This is a problem with Windows attempting to enumerate a browse list for all the machines in your workgroup. Ironically, I don't see this problem when the folders tab isn't there (i.e. go through my computer instead of windows explorer and type in \\server\share). Clint > -Original Message- > Hello, > > I'm having a very strange problem with Samba version 2.2.7a. > I have four boxes, Two Linux Mandrake Boxes (Morpheus and > Unreal both v. 9.2), One RedHat (Link v. 8.0) and an XP > Workstation (Kek XP Pro NO SP1). > > When I bring up My computer (Explorer) and attempt to browse > through the H: drive (SMB Share mapped to Users Home dir on > Morpheus), Y: drive (SMB Share maped to /backup on Unreal) > > It takes a veary, very long time to list the files on any of > the mapped samba drives. It basically hangs the explorer.exe > process. I can bring up the task manager, I can still toggle > (Control + Tab) between other apps that are open, but I > cannot access my start menu or do anything with the current > explorer window that's reading the files form the network. > > However with the task manager open I can launch a new task > cmd.exe and then fro the command prompt I can C:>H: change to > the H: drive, do a "dir" and list all the files, I can even > dig down into sub dirs and list files over the network, the > whole time the explorer process appears to be hung trying to > list the files, just like I did in the command prompt window. > > Then after about 4 or 5 mintues, everything comes back to > normal, it shows all the files in the explorer window, and > then any clicking I did like on the start menu or trying to > move winodws while it was hung all happens very quickly and > then it's fine. Until I try to access the drive again in > about 2 or 3 hours. > > Sorry so long. > Thanks in advance for any help. > -- > Curtis Strite > Director of Internet Services > 7321 S. Lindbergh Blvd. > Suite 104 > St. Louis, MO 63125 > Office: 314-892-2100 > Mobile: 314-280-8270 > Email: [EMAIL PROTECTED] > Website: www.scdservices.com > > > > > Message sent using UebiMiau 2.7.2 > > -- > To unsubscribe from this list go to the following URL and read the > instructions: http://lists.samba.org/mailman/listinfo/samba > -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
RE: [Samba] Re: Transfering Machine Accounts / MACHINE.SID
Quotes are required around the two ldap:// URIs AFAIK. I've not used AS 3, but on 8 I've always built from Source RPM as I've also added ACL support (pretty easy with the Redhat kernels, and even though they say it's not stable, I've yet to have any problems with it). I'd go grab Samba 3.0.1 source RPMs from the Samba website and build from there, or even upgrade to 3.0.1 from the Redhat RPMs on the Samba site, as those are known to have proper LDAP support included. Clint > -Original Message- > perhaps this is a problem with only the version of Samba 3 > that shipped in Red Hat AS 3 but if I put in... > > passdb backend = ldapsam:ldap://localhost/ ldap://slave/ > > I end up with the following in /var/log/samba/log.smbd... > > [2003/12/29 10:04:58, 0] > passdb/pdb_interface.c:make_pdb_methods_name(447) > No builtin nor plugin backend for ldap found > > Official Samba-3 Howto also states that default (meaning undeclared > value) for ldap ssl = Start_tls but that doesn't seem to be the case. > > Craig > > -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
RE: [Samba] Open Source W2k Policy Implementation (was Re: Windows2000 policies in a Samba PDC)
John, What I've done so far is mostly a hack. I've implemented some custom VBS scripts at login to install software (that only works part of the time because my method for granting the users admin priviledges is a UI based VBS hack which types the password in for them from an encrypted VBS script) and I've yet to implement any Windows policies as I've not been motivated enough to dig up poledit.exe or figure out how to implement them with Samba (although admittedly I'm sure your book would go great strides to helping me with that). Right now we're implementing policies the old fashioned way, "Screw up the computer you're fired." :) For the same reason LDAP and it's associated open source management tools (I'm a big fan of LAM which is in beta now at http://sf.net/project/lam) are great for allowing us to get away from NT4 based management tools, I've become increasingly aware there's no way to implement NT4 based policies w/o having to have NT based management tools (of which I'm not sure Microsoft's license allows one to use them w/o NT4 installed). I've begun thinking an expandable architecture based on an open-source NT service installed on the clients could help us solve many of the problems we're still relying on NT tools for. This could possibly even allow us to implement new ideas since we would have a priveledged executable running on the workstations. However, I'm merely thinking at this point, and I don't want to re-invent the wheel either (well, anyone but Microsoft's wheel, as their tools are becoming dated and may not be supported in future Windows desktop releases). If someone has a way to solve the problems I've listed below in an easily manageable way w/o using Microsoft tools, I'd be glad to help them as I've said previously. So in summary, I'm interested if someone has started work like this, and in response to your last post, I don't have anything worth putting in your book at this point, I'm merely looking for other people who might have started work on something like this. Clint > -Original Message- > From: John H Terpstra [mailto:[EMAIL PROTECTED] > Sent: Monday, December 29, 2003 11:11 AM > To: Sharp, Clint > Cc: samba > Subject: Re: [Samba] Open Source W2k Policy Implementation > (was Re: Windows2000 policies in a Samba PDC) > > > Clint, > > In my new book "Samba-3 by Example", which will be released > to open source when the book is in print, I have given > step-by-step prescriptive guidance on how to implement total > control over client Windows workstations. I have restricted > coverage to NT4 style profiles, even though I am fully aware > that SYSVOL type Win2kx profiles do partly work. > > That book will be available in April, and will be part of the > samba-docs project (that is where the Samba-HOWTO-Collection > also has its home). > > The reasons for which I have not provided guidance specific > to Win2K GPO implementation are: > > 1. Part of the protocol is dependant on Active Directory queries > that Samba-3 can not support. > 2. NT4 Policies allow almost everything that must be achieved > without a whole lot more complicated steps that are > very easy to get wrong. > > But if you wish to help document what you have done I am most > willing to put it in the appendix and to point readers at it > from appropriate locations in the text. > > Cheers, > John T. > > On Mon, 29 Dec 2003, Sharp, Clint wrote: > > > > > Sorry for badly hacking up your reply since most of this could be > > taken out of context w/o his message, but I wanted to leave > a couple > > of the lines in there. > > > > The reason I joined the list was to ask this question. I'm > aware of > > the current situation with W2k policies, and I was > wondering if anyone > > has undertaken work to implement all or part of the W2k GPO > outside of > > Active Directory. Since essentially GPOs are simply an ACL which > > implements registry changes dependent on the policy defined in the > > GPO, I would think this is definitely possible. Maybe I'm over > > simplifying what GPOs do or possibly I only used GPO features which > > were NT4 compatible (which would mean that I could get by with .POL > > files). > > > > I'm currently trying to solve three problems in my Samba > > implementation. Two of these are irrelevant to this > discussion, but I > > want to include them as I'm considering solving them with the same > > software: > > > > * Microsoft implemented roaming profiles suck and
[Samba] Open Source W2k Policy Implementation (was Re: Windows2000 policies in a Samba PDC)
> -Original Message- > On Mon, 29 Dec 2003, [ISO-8859-1] Áncor González Sosa wrote: > > With Samba you can do only what you can do with NT4 using the > NTConfig.POL file. > > > You can copy the files Win2K creates in > c:\WINNT\SYSVOL\sysvol\domainname\profiles to a share called > "SYSVOL" under the path: > /var/lib/sysvol/sysvol/domainname/profiles/... > Where the root of the SYSVOL share is /var/lib/sysvol. > > From my experimentation this only partly works at best. Only NT4 > NTConfig.POL policies work consistently. > > The other choice you have is to edit the NTUSER.DAT from the > users' profile, add the policy settings in it, then save it back. > > To do this you must load the NTUSER.DAT file as an add-on > hive in regedt32. Edit, then unload the hive. Be careful with > this! It can ruin your day! > > > No to create that you must use the NT4 Group Policy Editor. > No alternative exists. > > > Sorry. Not possible today. > > > - John T. > -- > John H Terpstra > Email: [EMAIL PROTECTED] Sorry for badly hacking up your reply since most of this could be taken out of context w/o his message, but I wanted to leave a couple of the lines in there. The reason I joined the list was to ask this question. I'm aware of the current situation with W2k policies, and I was wondering if anyone has undertaken work to implement all or part of the W2k GPO outside of Active Directory. Since essentially GPOs are simply an ACL which implements registry changes dependent on the policy defined in the GPO, I would think this is definitely possible. Maybe I'm over simplifying what GPOs do or possibly I only used GPO features which were NT4 compatible (which would mean that I could get by with .POL files). I'm currently trying to solve three problems in my Samba implementation. Two of these are irrelevant to this discussion, but I want to include them as I'm considering solving them with the same software: * Microsoft implemented roaming profiles suck and are incredibly ineffecient over slow links. I'm considering re-implementing them using a client-side process and librsync. * Patching systems is a pain, as well as installating software for users. This is generally part of SUS or could be part of GPO (maybe SUS creates GPOs to install the updates, I dunno). The problem I've always found is getting around my users not having admin priviledges on their machines. I've found several free su-like implementations for Windows, but all still require a password on the command line or are just too insecure for me if they don't. I'm considering implementing a service which would patch software on the Windows machine based on output from a server process running on my Samba servers (possibly only the PDC). * As mentioned before, I'd like an open-source implementation of W2k GPOs. This wouldn't run using Microsoft's GPO process, instead it would be implemented by a client-side process which would make the necessary changes. Has anyone currently started work fixing any of these? I'm ready to trash all the custom work I've done to solve these problems and start fresh with something that'll work cleanly and smoothly. I've got some ideas for architecture including development language, communications protocols, etc, but nothing's firm, and I'd be glad to contribute to someone who's already started a project which solves one or more of the above problems. If not, if anyone else is interested in the above problems and wants to start work on a new project which would solve those, I'd be happy to discuss with you offline. Cheers, Clint -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
RE: [Samba] Re: Transfering Machine Accounts / MACHINE.SID
> -Original Message- > Tried what? ;-) > > Setup : >unix password sync = yes >passwd program = /usr/local/sbin/ldap-passwd.pl %u > > Note: ldap-passwd.pl is custom script to modify userpassword > attribute, > modify master server/able to chase referral if any. > > BDC -> Slave Openldap: > > 1. ldapmanager as replica account. > User was able to change password from Win WS. > ldap-passwd.pl update master, samba update slave. > > 2. ldapmanager not as replica account. > - user unable to change password, err from Windows is "you > did not have permision to change your password". > - run smbpasswd to change user password also giving error. > > but i did not try : > passdb backend = ldapsam:"ldap://slave ldap://master"; > Will it solve my problem? > > Another question: > On what interval client changed their machine password? is it > triggered forn client or server? > > > --beast Passdb backend = ldapsam:"ldap://master ldap://slave"; works just fine for me. I have the passwd program set to /usr/bin/passwd and Samba updates the Samba related entries in the Master LDAP (with passwd updating the posixAccount related entries). Took me a while to find the ldapsam:"ldap://master ldap://slave"; workaround too, but it's worked flawlessly for me in production since. Clint -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
RE: [Samba] multi subnetted network (was: CIDR notation in config file)
> -Original Message- > I have a slightly different problem, but it is veeery > similar: I have a number of machines with variu\ous OS, some > uses real M$ > client/server, other use samba (in server mode). > These are set in a MS domain . > most machine have a 192.168.a.* address , other a public b.c.d.* > address , the PDC and BDC have two NIC on both networks. > It works fine. > However i have some [win 2k] clients that are either on b.c.e.* and > 192.169.f.* or worse are behind a natting firewall that convert > [symmetrically dnat/snat] the private addresses thay have in > a "remote" > rentwork into unique b.c.d.* addresses . > While if i login locally and try to access remote servers i > have almost no > problem (except a very, very, interesting effect, see below) > if i stay > outside one of the "home"network i have the following problems: > (note: the routers are linux server with statical routes and > no firewalling > active, all addresses, either private or public are static) > 1. I cannot add new windows hosts to the domain, since it > say that no > domain server is found, althought if i plug in one of the home > networks i can add > 2. Once i have added and move to the "remote" network i cannot use > the authenthication of user at login, since it say thet > PDC is not > reacheable. However i can, if i login as a local user, > access to the > shares in that host, that ask me domain/username/password [so > i can corfirm that routing is really working] >3. From machine behind DNAT/SNAT i cannot even change > permissions since i cannot get the list of user/group > from domain ! . 4. the final problem, that I mentioned before: > From machines behind NAT i can access the server but ... > If the client is XP pro i can access only > server with win2k or samba3.0 . No luck with hosts with NT4 sp6 > But if i plug it in the home networks, directly, i can > access the NT4 > servers again.. Win2k works ok, instead ! > > Any idea/ihint/explaination/ ? > This seems like a Windows browsing problem, which would exist for machines not on the same subnet. Do you have wins support = yes in your smb.conf and the machines on all subnets set to use your Samba server as the WINS server? This should get you around most of your browsing-related issues. Clint -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
RE: [Samba] samba PDC & BDC
-Original Message- Machine is added to domain, no problem right, because PDC fields this whereas BDC handles most of logon chores. What if PDC/LDAP is offline? Doesn't Machine Add then get added to slave LDAP? How about if user changes his password? Do I really want the secrets.tdb to have rootdn PASSWORD? Shouldn't this be a non-rootdn in the BDC's smb.conf with only sufficient access to see sambaNTPassword & sambaLMPassword with read only and no write privileges to anything? I.E. PDC down, no password changes, no new machine accounts. Craig Craig, Usually, it's recommended you set the binddn to something other than root, but with priviledges that can modify anything needed (even on the PDC). In a BDC situation, that user canNOT have access to modify anything (and will be required to be set as the updatedn in the slapd.conf anyways, if it's a replication slave). Cheers, Clint -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
