Re: [Samba] pdbedit password policy - not updating ldapsam
Hi Jamurph, I think replikation of password policies to ldap startet of Samba 3.0.23d. Before this version you have to export them from the PDC to the LDAP-Server by pdbedit -y -i tdbsam -e ldapsam and import them on all BDCs with pdbedit -y -i ldapsam -e tdbsam Regards Stefan . jamurph schrieb: > I have Samba and LDAP up and running, but I'm having problems editing the > password policy using pdbedit. > > (I'm running 3.0.22) > > I've had a look at the man page for pdbedit but I don't really fully > understand what it does in relation to passwd backends. Does pdbedit update > just one backend and expect a user to export the updates to other backends? > > I think I've set up ldap as my default backend - but pdbedit doesn't update > it. It looks like its updating some other backend. I guess my smb.conf > (attached) isn't configured correctly? How do I find out which one it's > updating?. I can also see a reference to pdbedit backend guest in the logs, > but I don't understand why pdbedit is looking for this. > > I tried the following command: > pdbedit -P "min password length" -C 7 -d 10 > > This is a snippet of the logs: > The LDAP server is succesfully connected > pdb backend ldapsam:ldap://ldap-1 ldap://ldap-2 has a valid init > Attempting to find an passdb backend to match guest (guest) > Found pdb backend guest > pdb backend guest has a valid init > account_policy_get: min password length:7 > account policy value for min password length was 7 > account_policy_set: min password length:7 > account policy value for min password length is now 7 > > I'm guessing it's taking these values from > /var/lib/samba/account_policy.tdb, it's not taking them from ldap - because > it doesn't change sambaMinPwdLength > > I can see a search happening in the ldap logs, but I don't see any updates - > is this expected behaviour? > > I believe I need to run the following command to update LDAP? > pdbedit -y -i tdbsam -e ldapsam -d 10 > > However, when I do this, I get the following error message (more of log > attached - but this is part I think is failing) > > Attempting to find an passdb backend to match guest (guest) > Found pdb backend guest > pdb backend guest has a valid init > called with username="(null)" > tdb(unnamed): tdb_open_ex: could not open file /etc/samba/passdb.tdb: No > such file or directory > Unable to open/create TDB passwd > Can't sampwent! > > > When configuring Samba initially, I had some problems, so I followed some > instructions and deleted the following > > rm /etc/samba/*tdb > rm /var/lib/samba/*tdb > rm /var/lib/samba/*dat > rm /var/log/samba/* > > as a result passdb.tdb is no longer, and didn't get re-created. Is there any > way I can recreate this file? Is this the cause of my problems? > > Any help much appreciated, I've attached more details in case they are > needed > > > -- LDAP Entry > > dn: sambaDomainName=BLAHDEV,dc=example,dc=org > sambaDomainName: BLAHDEV > sambaMinPwdAge: 0 > objectClass: top > objectClass: sambaDomain > objectClass: sambaUnixIdPool > sambaPwdHistoryLength: 0 > sambaNextGroupRid: 67109863 > uidNumber: 1005 > sambaLogonToChgPwd: 0 > sambaLockoutDuration: 30 > sambaMaxPwdAge: -1 > sambaForceLogoff: -1 > sambaLockoutThreshold: 0 > gidNumber: 1000 > sambaSID: S-1-5-21-317703500-4181503002-770181164 > sambaNextUserRid: 67109862 > sambaMinPwdLength: 5 > sambaRefuseMachinePwdChange: 0 > sambaAlgorithmicRidBase: 1000 > sambaLockoutObservationWindow: 30 > > > > SMB.CONF --- > [global] >workgroup = BLAHDEV >netbios name = BLAHDEV-PDC >security = user >server string = Samba Server >log level = 2 >syslog = 0 >log file = /var/log/samba/%m.log >max log size = 10 >time server = Yes >logon home = "" >logon path = "" >domain logons = Yes >domain master = Yes >os level = 65 >preferred master = Yes >wins support = yes >encrypt passwords = Yes ># unix password sync = Yes >passwd program = /usr/sbin/ldap_userPassword_change %u >passwd chat = *New*password* %n\n *Re-enter*new*password* %n\n > *Result**Success ># Crackcheck settings to allow NT style password complexity checks >check password script = /sbin/crackcheck -c -d /usr/lib/cracklib_dict >passdb backend = ldapsam:"ldap://ldap-1 ldap://ldap-2"; >ldap admin dn = cn=Manager,dc=example,dc=org >ldap suffix = dc=dc=example,dc=org >ldap group suffix = ou=Groups >ldap user suffix = ou=Users >ldap machine suffix = ou=Computers >ldap idmap suffix = ou=Idmap >idmap backend = ldap:"ldap://ldap-1 ldap://ldap-2"; >add user script = /opt/IDEALX/sbin/smbldap-useradd -m "%u" >delete user script = /opt/IDEALX/sbin/smbldap-userdel "%u" >add machine script = /opt/IDEALX/sbin/smbldap-useradd -t 1 -w "%u" >add group script = /opt/IDEALX/sbin/smbldap-g
Re: [Samba] migrate machine-passwords from smbpasswd to ldap?
Hi Peter, I didnt test it but pdbedit -i smbpasswd:/etc/smbpasswd -e ldapsam should do the job! Ther is also a parameter -g wich applies to group mappings (Are they available in Samba 2 ???). Good luck. peter pilsl schrieb: > > I'm just migrating a whole samba-installations ffrom old 2.2 to 3.0 with > LDAP. > I was successfully able to migrate all useraccounts with smbldap-useradd > but now I'm stuck with the machine-accounts. All machines are part of > the domain and they should be able to logon the new server without > noticing any difference. > > I can add them with smbldap-useradd -w but the resulting ldap-entry does > not have any samba-attributes, especially the sambaNTpassword and > sambaLMpassword-fields are not set !! > > I think that these passwords are essential to keep the trustrelation > between server and machines. > > I'm not sure about some details also: > > 1) the machines still have the $ as last name, so the machine dummy > should be in the ldap-structure with uid=dummy$ ?! > > 2) am I right that sambaNTPassword and sambaLMPassword needs to be the > same on the new installation than the old one to let the machines stay > in the domain without needing to leave and rejoin? > > 3) what about sambaSID for the existing machine? How do I get the > correct sambaSID? Is the same than with users? domainSID-1000+2*uid ? > > 4) Do I need to add a machine as normal user first and then as machine, > cause when I try to add the machine with pdbedit I get the following error: > > #pdbedit -a -m -u ihf23$ 2>&1 > doing parameter max log size = 1 > pm_process() returned Yes > Searching for:[(&(objectClass=sambaDomain)(sambaDomainName=IHF))] > smbldap_open_connection: connection opened > ldap_connect_system: succesful connection to the LDAP server > The LDAP server is succesfully connected > Searching for:[(&(objectClass=sambaDomain)(sambaDomainName=IHF))] > smbldap_open_connection: connection opened > ldap_connect_system: succesful connection to the LDAP server > The LDAP server is succesfully connected > ldapsam_add_sam_account: Adding new user > init_ldap_from_sam: Setting entry for user: ihf23$ > ldapsam_modify_entry: Failed to add user dn= > uid=ihf23$,ou=smbComputers,dc=ihf,dc=local with: Object class violation > object class 'sambaSamAccount' requires attribute 'sambaSID' > ldapsam_add_sam_account: failed to modify/add user with uid = ihf23$ (dn > = uid=ihf23$,ou=smbComputers,dc=ihf,dc=local) > Unable to add machine! (does it already exist?) > > > thnx, > peter > > > -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] SAMBA-LDAP - Group permissions
Hi, Do you want them to be admins from out of the Windows Tools Usermanager/Servermanager? Have a look at the privileges. (Samba Howto Collection chapter 15) Another chance is to put some access controll lists in your slapd.conf file and make the admins to use an ldap browser of their choice. Good luck Stefan Allysson Steve Mota Lacerda schrieb: > Hi folks. > > I have a functional Samba-LDAP server running as a PDC with Windows 2003 > clients. > > I'm changing the structure of my LDAP tree and I want to give > administrator's permissions to a branch (i.e. > ou=teachers,dc=domain,dc=com). > Is there a way to do this automatically (i.e. by using an argument in > smb.conf)? > > Ah... I tried to use admin users in smb.conf to give permissions to a > single > user but it didn't function. > > Thanks a lot. > > My smb.conf: > > [global] >workgroup = FACOMP >netbios name = FACOMP01 >server string = Controlador de Dominio >domain master = yes >preferred master = yes >local master = yes >domain logons = yes >enable privileges = yes >encrypt passwords = yes >ldap passwd sync = yes >admin users = rodrigoqueiroz >passdb backend = ldapsam:ldap://localhost smbpasswd guest >ldap suffix = dc=facomp,dc=edu,dc=br >ldap machine suffix = ou=Computadores >ldap user suffix = ou=Usuarios >ldap group suffix = ou=Grupos >ldap admin dn = cn=admin,dc=facomp,dc=edu,dc=br >ldap ssl = no >logon script = netlogon.bat >logon home = \\%L\%U\.profiles >logon path = \\%L\profiles\%U >security = user >os level = 256 >interfaces = 192.168.0.1 >log level = 3 >veto files = /*.mp3/*.wma/*.wmv/*.avi/*.mpg/*.wav/*.rmvb/ >delete veto files = Yes > -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] ZENWorks Alternative
Look at OPSI www.opsi.org C. L. schrieb: > I'm also looking for some Free Alternative to ZENWorks. Have you or anyone > found anything? -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] winbind: wbinfo -g sees "domain users", getent group does not
Hi Frederik, I thik its the winbind separator parameter in smb.conf. Did you define it as backslash in smb.conf so the samba server interprets this as linefeed like this: ERROR: the 'winbind separator' parameter must be a single character. winbind separator =security = user If you want the backslash to be your winbind separator just leave the parameter out of your smb.conf. so samba will use the default. Loaded services file OK. winbind separator = \ Kind regards Stefan Frederik schrieb: > I have configured winbind on a Linux file server, connecting to a > Samba PDC. When I run wbinfo -g, I can see the group "domain users". > On the other hand, when I run getent group, I do not see this group. > Apart from a few other groups, all groups are visibile in both wbinfo > -g and getent group. > > When running for the first time wbinfo -u, getent passwd and wbinfo > -g, I got the results almost instantaneous, but getent group is very > slow, and the first time seems to time out (actually the first and > second time take 1m10s, and none of the domain groups are shown. After > the third try, the groups are shown, but a few are missing). > > Concerning the missing groups, this is in winbind logs: > > [2006/10/17 14:08:48, 4] > nsswitch/winbindd_group.c:get_sam_group_entries(562) > get_sam_group_entries: Native Mode 2k domain; enumerating local groups > as well > [2006/10/17 14:08:48, 4] > nsswitch/winbindd_group.c:get_sam_group_entries(571) > get_sam_group_entries: Returned 9 local groups > [2006/10/17 14:08:48, 4] > nsswitch/winbindd_group.c:get_sam_group_entries(562) > get_sam_group_entries: Native Mode 2k domain; enumerating local groups > as well > [2006/10/17 14:08:48, 4] > nsswitch/winbindd_group.c:get_sam_group_entries(571) > get_sam_group_entries: Returned 0 local groups > [2006/10/17 14:08:48, 3] nsswitch/winbindd.c:client_write(532) > write failed on sock 21, pid 10925: Broken pipe > [2006/10/17 14:08:48, 3] > nsswitch/winbindd_misc.c:winbindd_interface_version(261) > [10925]: request interface version > [2006/10/17 14:08:48, 3] nsswitch/winbindd.c:client_write(532) > write failed on sock 22, pid 10925: Broken pipe > [2006/10/17 14:08:48, 3] > nsswitch/winbindd_misc.c:winbindd_interface_version(261) > [10926]: request interface version > [2006/10/17 14:08:48, 3] nsswitch/winbindd.c:client_write(532) > write failed on sock 21, pid 10926: Broken pipe > [2006/10/17 14:08:48, 3] > nsswitch/winbindd_misc.c:winbindd_interface_version(261) > [10926]: request interface version > [2006/10/17 14:08:48, 3] nsswitch/winbindd.c:client_write(532) > write failed on sock 23, pid 10926: Broken pipe > [2006/10/17 14:08:48, 3] > nsswitch/winbindd_misc.c:winbindd_interface_version(261) > [10927]: request interface version > [2006/10/17 14:08:48, 3] > nsswitch/winbindd_misc.c:winbindd_priv_pipe_dir(297) > [10927]: request location of privileged pipe > [2006/10/17 14:08:48, 3] nsswitch/winbindd_group.c:winbindd_setgrent(431) > [10927]: setgrent > [2006/10/17 14:08:48, 3] nsswitch/winbindd_group.c:winbindd_getgrent(619) > [10927]: getgrent > [2006/10/17 14:08:48, 1] nsswitch/winbindd_group.c:fill_grent_mem(134) > could not lookup membership for group rid > S-1-5-21-2127695773-36794-646806464-513 in domain SECGEN (error: > NT_STATUS_UNSUCCESSFUL) > [2006/10/17 14:08:48, 0] nsswitch/winbindd_group.c:winbindd_getgrent(790) > could not lookup domain group domain users > > Another problem which happens fairly often, adn probably is the cause > of the slowness: > > [2006/10/17 14:06:44, 0] rpc_client/cli_pipe.c:rpc_api_pipe(435) > cli_pipe: return critical error. Error was Call timed out: server > did not respond after 1 milliseconds > [2006/10/17 14:06:44, 0] rpc_client/cli_pipe.c:rpc_api_pipe(435) > cli_pipe: return critical error. Error was Call timed out: server > did not respond after 1 milliseconds > [2006/10/17 14:06:44, 0] rpc_client/cli_pipe.c:rpc_api_pipe(435) > cli_pipe: return critical error. Error was Call timed out: server > did not respond after 1 milliseconds > [2006/10/17 14:06:44, 1] nsswitch/winbindd_group.c:fill_grent_mem(134) > could not lookup membership for group rid > S-1-5-21-2127695773-36794-646806464-1185 in domain SECGEN (error: > NT_STATUS_UNSUCCESSFUL) > > What could make that wbinfo -g sees all groups, while getent groups > misses a few of them? What makes getent group so slow? I guess I > should not need to install nscd on the file server? > > there are about 400 users and 200 groups. So the PDC is also Samba > with OpenLDAP as database back-end. The version of Samba used (on both > PDC and ont the file server with winbind) is 3.0.14a from Debian > Sarge. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Providing samab services to multiple subnets?
This should be possible, if you use wins stan schrieb: > Can I set up a sambda server to provide file storage serveces > to a serries of XP machines that are on multiple subnets? > -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Samba Anonymous LDAP Authentication
Hi, isn't it possible to join the server to the domain and set security to domain or server?!? Regards Stefan Matthew Crites schrieb: > Hello all. I have a Samba PDC server working great already. However > on another host on the network I would like to setup a Samba server > that authenticates to the same LDAP server that my Samba PDC is using. > However I want to do this anonymously without telling the second > server the admin password for LDAP. I cannot seem to find any > documentation for anonymous LDAP authentication using Samba. Do I > have to give Samba the admin password just to access authentication > records? > -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Samba 3 LDAP password policies
Hi List, I hope sombody can give a Solution for the following behaviour: First the environment: One Samba 3.0.23b PDC with LDAP Backend (OpenLDAp 2.3) Another Samba 3.0.23b BDC with replicated LDAP Backend (OpenLDAP 2.3) Account policies set in LDAP and importet on both Samba PCs by pdbedit -y -i ldapsam as follows (working almost fine at least for password history, min length and bad logon attempt): min password length => 7 password history=> 3 maximum password age=> 7776000 i.e. 90 days minimum password age=> 86400 i.e. 1 day Now the behaviour: If I set the password as admin with smbpasswd the parameters password must change, password last change and password can change are set to the correct values according to the above policies. No I want the user to be able to change his password on the same day so I changed the password can change parameter, but if a user wants to change his password it doesn't matter wich value is set in password can change. The first date a user may change his password is: + Is the parameter password can change just informational? Kind regards Stefan -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba