Re: [Samba] Security: ads - "net ads user" works, "wbinfo -u" does not
On 6 February 2013 01:24, Vladimir Levijev wrote: >> I have Debian Squeeze running Samba being a member of the domain (PDC >> and BDC are Windows servers) and it's users are authenticated against >> AD using winbind for years. >> >> Now there is a need to setup another virtual Debian box exactly like >> that. So the name of the first is STUDENT, I named the virtual >> STUDENT2. I'm trying to set up the virtual box exactly the same, using >> exactly the same configs (smb.conf, krb5.conf) as on the working box, >> but this is what I get: >> >> STUDENT2, I can: >> - create kerberos tickets (kinit Administrator@FOO.LOCAL) >> - list kerberos tickets (klist) >> - join the domain (net ads join -U Administrator) >> Here I get next output: >> Using short domain name -- FOO >> Joined 'STUDENT2' to realm 'FOO.Local' >> DNS update failed! >> But as I understand the last message is not something to worry about. >> - (here I start samba, then winbind) >> >> And at this point strange thing happen. I cannot get domain users >> using wbinfo (wbinfo -u returns nothing) but I get them all using "net >> ads user -U Administrator". Of course, "getent passwd" lists only >> local users too. >> >> I believe my winbind is not working properly. Here are the questions: >> >> 1). How to effectively debug why wbinfo is acting this way? >> 2). Could the problem be because of 2 machines conflicting because of >> one letter difference (STUDENT vs STUDENT2)? >> >> I can't delete the first box from domain in order to test it as it's >> in production. >> >> STUDENT2 details: >> - Debian Squeeze up-to-date (6.0.6) >> - standard repo packages: # dpkg -l '*samba*' '*winbind*' | grep ^ii >> ii samba 2:3.5.6~dfsg-3squeeze9 >> ii samba-common 2:3.5.6~dfsg-3squeeze9 >> ii samba-common-bin 2:3.5.6~dfsg-3squeeze9 >> ii winbind2:3.5.6~dfsg-3squeeze9 >> - # wbinfo -p >> Ping to winbindd succeeded >> >> PDC and BDCs are running Windows Server 2008 R2. >> >> I can post the configs in case it helps. However I feel like I have >> tried all the possible variations of the configs (from so many good >> howto's) with no effect at all. > > More info. > > STUDENT: > # wbinfo -D foo > Name : FOO > Alt_Name : FOO.Local > SID : S-1-5-21-831812219-1424057545-2139100090 > Active Directory : Yes > Native: Yes > Primary : Yes > > STUDENT2: > # wbinfo -D foo > Name : FOO > Alt_Name : FOO.LOCAL > SID : S-1-5-21-831812219-1424057545-2139100090 > Active Directory : No > Native: No > Primary : Yes > > Firstly, why is Alt_Name different (both boxes have identical configs) > and where does it come from exactly? > And secondly, what do "Active Directory", "Native" and "Primary" mean? OK, just for those that will encounter the same problem, port 445 from linux box running Samba to Active Directory was blocked by firewall. Cheers, VL -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Security: ads - "net ads user" works, "wbinfo -u" does not
On 4 February 2013 21:38, Vladimir Levijev wrote: > I have Debian Squeeze running Samba being a member of the domain (PDC > and BDC are Windows servers) and it's users are authenticated against > AD using winbind for years. > > Now there is a need to setup another virtual Debian box exactly like > that. So the name of the first is STUDENT, I named the virtual > STUDENT2. I'm trying to set up the virtual box exactly the same, using > exactly the same configs (smb.conf, krb5.conf) as on the working box, > but this is what I get: > > STUDENT2, I can: > - create kerberos tickets (kinit Administrator@FOO.LOCAL) > - list kerberos tickets (klist) > - join the domain (net ads join -U Administrator) > Here I get next output: > Using short domain name -- FOO > Joined 'STUDENT2' to realm 'FOO.Local' > DNS update failed! > But as I understand the last message is not something to worry about. > - (here I start samba, then winbind) > > And at this point strange thing happen. I cannot get domain users > using wbinfo (wbinfo -u returns nothing) but I get them all using "net > ads user -U Administrator". Of course, "getent passwd" lists only > local users too. > > I believe my winbind is not working properly. Here are the questions: > > 1). How to effectively debug why wbinfo is acting this way? > 2). Could the problem be because of 2 machines conflicting because of > one letter difference (STUDENT vs STUDENT2)? > > I can't delete the first box from domain in order to test it as it's > in production. > > STUDENT2 details: > - Debian Squeeze up-to-date (6.0.6) > - standard repo packages: # dpkg -l '*samba*' '*winbind*' | grep ^ii > ii samba 2:3.5.6~dfsg-3squeeze9 > ii samba-common 2:3.5.6~dfsg-3squeeze9 > ii samba-common-bin 2:3.5.6~dfsg-3squeeze9 > ii winbind2:3.5.6~dfsg-3squeeze9 > - # wbinfo -p > Ping to winbindd succeeded > > PDC and BDCs are running Windows Server 2008 R2. > > I can post the configs in case it helps. However I feel like I have > tried all the possible variations of the configs (from so many good > howto's) with no effect at all. More info. STUDENT: # wbinfo -D foo Name : FOO Alt_Name : FOO.Local SID : S-1-5-21-831812219-1424057545-2139100090 Active Directory : Yes Native: Yes Primary : Yes STUDENT2: # wbinfo -D foo Name : FOO Alt_Name : FOO.LOCAL SID : S-1-5-21-831812219-1424057545-2139100090 Active Directory : No Native: No Primary : Yes Firstly, why is Alt_Name different (both boxes have identical configs) and where does it come from exactly? And secondly, what do "Active Directory", "Native" and "Primary" mean? Cheers, dimir -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Security: ads - "net ads user" works, "wbinfo -u" does not
Hi, I have Debian Squeeze running Samba being a member of the domain (PDC and BDC are Windows servers) and it's users are authenticated against AD using winbind for years. Now there is a need to setup another virtual Debian box exactly like that. So the name of the first is STUDENT, I named the virtual STUDENT2. I'm trying to set up the virtual box exactly the same, using exactly the same configs (smb.conf, krb5.conf) as on the working box, but this is what I get: STUDENT2, I can: - create kerberos tickets (kinit Administrator@FOO.LOCAL) - list kerberos tickets (klist) - join the domain (net ads join -U Administrator) Here I get next output: Using short domain name -- FOO Joined 'STUDENT2' to realm 'FOO.Local' DNS update failed! But as I understand the last message is not something to worry about. - (here I start samba, then winbind) And at this point strange thing happen. I cannot get domain users using wbinfo (wbinfo -u returns nothing) but I get them all using "net ads user -U Administrator". Of course, "getent passwd" lists only local users too. I believe my winbind is not working properly. Here are the questions: 1). How to effectively debug why wbinfo is acting this way? 2). Could the problem be because of 2 machines conflicting because of one letter difference (STUDENT vs STUDENT2)? I can't delete the first box from domain in order to test it as it's in production. STUDENT2 details: - Debian Squeeze up-to-date (6.0.6) - standard repo packages: # dpkg -l '*samba*' '*winbind*' | grep ^ii ii samba 2:3.5.6~dfsg-3squeeze9 ii samba-common 2:3.5.6~dfsg-3squeeze9 ii samba-common-bin 2:3.5.6~dfsg-3squeeze9 ii winbind2:3.5.6~dfsg-3squeeze9 - # wbinfo -p Ping to winbindd succeeded PDC and BDCs are running Windows Server 2008 R2. I can post the configs in case it helps. However I feel like I have tried all the possible variations of the configs (from so many good howto's) with no effect at all. P. S. One more (possibly important) detail. When I was playing with different configs I sometimes was getting different output from 'wbinfo -u', which looked like this: STUDENT2+joe STUDENT2+nobody This looked very strange to me as my domain is 'FOO.LOCAL', not 'STUDENT2' (the latter is a hostname of the new box) and these 2 users are local users. Thanks in advance, dimir -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Multiple winbindd processes
On Tuesday 11 January 2005 06:16, [EMAIL PROTECTED] wrote: Hi, > I had posted in the technical list about this sometime back. However, I > don't think anything was available at that time, so I went ahead and wrote > a small patch that allows multiple winbindd process to run at the same > time :) . What it does is to create a seperate pipe for each winbindd > process. However, this would need a patch for the nss library as well and > I've only worked out a patch for the linux nss library. I'd also added a > couple of extra parameters to the smb.conf file that allowed for > specification of a list of domains that could be veto-ed or allowed. I > could send you the patch if you're interested. I'm really interested. Thank you :-) -- [EMAIL PROTECTED] -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Multiple winbindd processes
Hi, My problem is that I'd like to have one GNU/Linux box with Samba installed serve multiple domains. I have 2 Domains separated from each other. Connected Samba box to both domains and joined them successfully. Running 2 smbd and 2 nmbd processes bound to the appropreate network interface, with different settings serving appropreate domans. Samba server is visible in both networks but here is the problem. I can start 2 winbindd processes for each domain controller, but only one is actually working. So only users from that one are able to authenticate. Using 'lsof' showed that both winbindd processes are connected to the pipe, but only the last one started is actually listening to requests? The question is, what do I need to do to make 2 winbindd processes work simultaneously? Is there a solution available, or I will need to write a patch for winbind? TIA, -- [EMAIL PROTECTED] -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] samba-3.0.0 and Active Directory
On Sun, 16 Nov 2003, Vladimir Levijev wrote: Hi, > Shortly, I want my Active Directory users to be able to use Linux samba > file server. [clip] Do not bother guys, I've got it working. The solution was kerberos (http://au1.samba.org/samba/devel/docs/html/Samba-HOWTO-Collection.html#ads-member). Works really great, even though I neither knew much about kerberos nor ever used it. Even SSL over LDAP - voila! I'd like to thank all people ever envolved in development of samba. You've done a great job! Keep up the good work! Thanks to all the list members also ;-) -- [EMAIL PROTECTED] -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] samba-3.0.0 and Active Directory
Hi everybody, Shortly, I want my Active Directory users to be able to use Linux samba file server. The network is: Win XP and w2k clients, an AD server (w2k) and Linux samba file server (RedHat 7.1). The services on Linux box (imap, ftp, ssh) are configured to use pam_ldap and nss_ldap, so 'getent passwd' works fine and gets accounts from both /etc/passwd (root and a couple of accounts) and AD using LDAPS (Active Directory schema is extended with AD4Unix, so each user in AD has a valid 'Unix setting': uid/gid (1000-1) and a '/home/%u' for a shell). I tried to configure samba to talk to AD, specifying the ldap server and 'ldap admin dn' and it even connects to AD server when I execute 'smbclient' locally on Linux (one.two.com is an AD server): [clip] [2003/11/15 19:53:25, 10] lib/smbldap.c:smbldap_open_connection(527) smbldap_open_connection: ldaps://one.two.com:636 [2003/11/15 19:53:25, 2] lib/smbldap.c:smbldap_open_connection(623) smbldap_open_connection: connection opened [2003/11/15 19:53:25, 10] lib/smbldap.c:smbldap_connect_system(749) ldap_connect_system: Binding to ldap server ldaps://one.two.com:636 as "cn=ldapquery, cn=Users, dc=two, dc=com" [2003/11/15 19:53:25, 3] lib/smbldap.c:smbldap_connect_system(785) ldap_connect_system: succesful connection to the LDAP server [2003/11/15 19:53:25, 4] lib/smbldap.c:smbldap_open(836) The LDAP server is succesful connected [clip] but then, instead of fetching the account of a user I specified with '-U' to smbclient, it searches for 501 SID: [clip] [2003/11/15 19:53:25, 4] passdb/pdb_ldap.c:ldapsam_getsampwsid(1098) ldapsam_getsampwsid: Unable to locate SID [S-1-5-21-22154274-3529046950-2477786524-501] count=0 [2003/11/15 19:53:25, 10] passdb/pdb_get_set.c:pdb_set_username(584) pdb_set_username: setting username nobody, was [clip] Why is it always searching for SID 501 no matter with what user I try to connect and how can I determine who that user is? And some other questions: How is it possible to allow AD users to use samba file server's shares (their home dirs) so that current Linux configuration (nss+pam+ldap) will still work? Do I certainly need kerberos for that? If I need to extend my AD with samba schema, how can I do that? Thank you in advance, -- [EMAIL PROTECTED] -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
