Re: [Samba] Samba PDC - XP Client refuses to join!
paste your smb.conf > Hi all, > > I have been setting up a samba3 domain controller, all seems to work > fins on the samba side, until i try to join a workstation to the domain. > > From a windows XP client, the following happens... > Enter computer properties, computer name tab... click Change... > Enter "SUSSEXMC.COM" in the domain box, click ok > Now is where things start going wrong.. > XP waits for a little while, before responding with: > > "A Domain Controller for the domain SUSSEXMC.COM could not be contacted" > > Clicking details reveals: > > "DNS was succesfully queried for the service location (SRV) resource > record used to locate a domain controller for the domain: SUSSEXMC.COM > The query was for the SRV record for _ldap._tcp.dc._msdcs.SUSSEXMC.COM > The following domain controllers were identified by the query: > smc1.sussexmc.com > Common causes of this error include: > - Host (A) records that map the name of the domain controller to its IP > addresses are missing or contain incorrect addresses > - Domain controllers registered in DNS are not connected to the network > or are not running." > > Now ALL using the same XP client... > I can verify that the A records are correct using nslookup (Server ip is > 10.10.1.1, reported by DNS server at 10.10.1.1 (Also the machine gets > its IP address from DHCP on the same server, and this correctly updates > the forward and reverse dns zones to reflect this)) > > I can also verify the DC is running, as if i manually enter "\\smc1" or > "\\smc1.sussexmc.com" into windows explorer (the first time) i am > prompted for a username/password (and providing valid credntials allows > me to logon and see the main shares on the PDC (sysvol, netlogon, > printers), as well as the users home folder). > > What am I missing?? > James > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/listinfo/samba > -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] DNS problem?
I'm trying to join an XP SP2 PC called testpc to a test environment. Its network settings are statically set. IP address is 10.8.3.209. I have a PDC called gomer.mdah.state.ms.us w/ samba 3.0.26a and IP address is 10.8.3.37. On test PC I right click on my computer, properties, computer name, change from workgroup WORKGROUP to domain ADAMSTEST. But I get the error: Note: This information is intended for a network administrator. If you are not your network's administrator, notify the administrator that you received this information, which has been recorded in the file C:\WINDOWS\debug\dcdiag.txt. The domain name ADAMSTEST might be a NetBIOS domain name. If this is the case, verify that the domain name is properly registered with WINS. If you are certain that the name is not a NetBIOS domain name, then the following information can help you troubleshoot your DNS configuration. The following error occurred when DNS was queried for the service location (SRV) resource record used to locate a domain controller for domain ADAMSTEST: Note: This information is intended for a network administrator. If you are not your network's administrator, notify the administrator that you received this information, which has been recorded in the file C:\WINDOWS\debug\dcdiag.txt. The domain name ADAMSTEST might be a NetBIOS domain name. If this is the case, verify that the domain name is properly registered with WINS. If you are certain that the name is not a NetBIOS domain name, then the following information can help you troubleshoot your DNS configuration. The following error occurred when DNS was queried for the service location (SRV) resource record used to locate a domain controller for domain ADAMSTEST: The error was: "DNS name does not exist." (error code 0x232B RCODE_NAME_ERROR) The query was for the SRV record for _ldap._tcp.dc._msdcs.ADAMSTEST Common causes of this error include the following: - The DNS SRV record is not registered in DNS. - One or more of the following zones do not include delegation to its child zone: ADAMSTEST . (the root zone) For information about correcting this problem, click Help. I've googled the error and people say to make sure your DNS is fine, you can ping, turn off windows firewall, etc. I've done all that I don't see any problems with my configuration. testpc can ping gomer.mdah.state.ms.us fine. and dcdiag.txt contains that message above. My samba configuration seems correct: [EMAIL PROTECTED] ~]# testparm Load smb config files from /etc/samba/smb.conf WARNING: The "printer admin" option is deprecated Processing section "[homes]" Processing section "[accounts]" Processing section "[netlogon]" Processing section "[profiles]" Processing section "[print$]" Loaded services file OK. 'winbind separator = +' might cause problems with group membership. Server role: ROLE_DOMAIN_PDC Press enter to see a dump of your service definitions [global] unix charset = LOCALE workgroup = ADAMSTEST server string = Samba Server %v on gomer interfaces = 10.8.3.37/24, 127.0.0.1/8 bind interfaces only = Yes update encrypted = Yes passdb backend = ldapsam:ldap://gomer.mdah.state.ms.us username map = /etc/samba/smbusers log level = 10 syslog = 0 log file = /var/log/samba/%m max log size = 50 name resolve order = wins bcast hosts time server = Yes printcap name = CUPS show add printer wizard = No add user script = /usr/sbin/smbldap-useradd -a -m "%u" delete user script = /usr/sbin/smbldap-userdel "%u" add group script = /usr/sbin/smbldap-groupadd -p "%g" delete group script = /usr/sbin/smbldap-groupdel "%g" add user to group script = /usr/sbin/smbldap-groupmod -m "%u" "%g" delete user from group script = /usr/sbin/smbldap-groupmod -x "%u" "%g" set primary group script = /usr/sbin/smbldap-groupmod -g "%g" "%u" add machine script = /usr/sbin/smbldap-useradd -w "%u" logon script = scripts\logon.bat logon path = \\%L\profiles\%U logon drive = X: domain logons = Yes preferred master = Yes wins support = Yes ldap admin dn = cn=Manager,dc=gomer,dc=mdah,dc=state,dc=ms,dc=us ldap group suffix = ou=Group ldap idmap suffix = ou=Idmap ldap machine suffix = ou=People ldap passwd sync = Yes ldap suffix = dc=gomer,dc=mdah,dc=state,dc=ms,dc=us ldap user suffix = ou=People idmap backend = ldap:ldap://gomer.mdah.state.ms.us idmap uid = 1-2 idmap gid = 1-2 template homedir = /home/winnt/%D/%U template shell = /bin/bash win
Re: [Samba] Samba as a domain controller for Linux workstations?
but then, no roaming profiles, right? well, one less thing to worry about :) Well, LINUX doesn't have anything like a roaming profile for better or worse. Current LINUX desktop environments don't much lend themselves to "management". What about a logon script which runs unison (http://www.cis.upenn.edu/~bcpierce/unison/) to synchronize? File syncronization does not equal 1:1 the functionality of roaming profiles. Roaming profiles in conjunction with system policies let the admin extert a great deal of control over the user's experience - this isn't really possible with the current state of things on the LINUX desktop. So wether the answer to the posters questions is "yes" or "no" depends specifically on what he/she is looking to do. This message was sent using IMP, the Internet Messaging Program. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Samba as a domain controller for Linux workstations?
you dont need samba. in this case use a ldap for authentification and mount the homes of each users per nfs. we use the smbldap tools from idealix to manage users in ldap. i have it in our firm so and it works quit nice. We do something similiar, our LINUX workstations and services authenticate against and use information from an LDAP directory that is also our Samba SAM for windows workstations. but then, no roaming profiles, right? well, one less thing to worry about :) Well, LINUX doesn't have anything like a roaming profile for better or worse. Current LINUX desktop environments don't much lend themselves to "management". in that case it would perhaps make more sense to use some old computers as terminals (+nice LCD display), than buy new ones as workstations? If you have a high speed LAN LTSP works very nicely. This message was sent using IMP, the Internet Messaging Program. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] LDAP and the Password attrtibute in SAMBA
On Sun, 2005-04-10 at 13:53 +0200, Tony Earnshaw wrote:
søn, 10.04.2005 kl. 02.56 skrev Gerald (Jerry) Carter:
[...]
> There was some interesting code submitted by Engineers
> at Novell for utilizing the clear text password in eDirectory.
> The password is pulled via an extended LDAP operation from the
> DSA (over ldaps). smbd can then generate the lm and nt
> hashes from this therefore allowing one password to be stored.
> We could do the same thing with OpenLDAP if people felt this
> was helpful. I.e. Is storing 'userPassword: {clear}secret'
> worth the single password configuration?
This would be fantastic. I have to have plain text userPasswords in the
LDAP database for non-Samba related CRAM- and DIGEST-MD5 purposes.
Syncing the 3 password types is no great hassle, but not having to do
that would definitely be a plus. Is Novell's code Open Source, then?
Yes, it's in current Samba releases. What we should simply do is search
for the userPassword attribute, and call pdb_set_plaintext_password().
The tricky part of the patch will be writing the password back - I think
that the default behaviour should be to write back into the plaintext
password attribute, unless 'ldap password sync' is set.
(this will imply keeping a little state around, but it won't be hard).
Did such a feature make it into Samba, or might it in the future? I'm
like Tony
and already keep userpassword as cleartext in order to support DIGEST-MD5 for
those clients that can't do Kerberos.
> And before anyone yells the word 'security!', the danger
> is in obtaining the OpenLDAP db files. It is possible to
> security the password from unauthorized LDAP client access.
> Of course, the security settings are slightly more challenging
> than relying on hashes password being stored in the directory.
> However, the lm and nt password hashes are clear text equivalent
> so for those people using Samba, using {clear} would be
> only slightly more scary.
I'm not worried about plain text passwords in the LDAP DB. The only
users who have access to them are the slapd user (no shell) and root.
Yep, I'm not worried about this either. If you hack into the DC with
sufficient
privileges to steal the DB files then I'm borked anyway.
This message was sent using IMP, the Internet Messaging Program.
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] profiles, profdata & homes
I understand the concept of home directories on the file server becoming a share for the user on the smb-client computer. I have a vague idea of "profiles", but I'm lost at "profdata". How does that last one fit in? Where can I read more about it? (profdata is common keyword on the search engines) profdata? I've been running a Samba DC with LDAP support since 2.2.1a and I don't recall every seeing that term. Is there a document that describes the logon proces? (less detailed that the source code of samba? ;-) Any good Windows Administration text. You need to understand what the workstation wants, and the workstation is a Windows box. This message was sent using IMP, the Internet Messaging Program. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] task scheduler in Samba ?
> Anyone interested in having the Windows remote task > scheduler implemented in Samba 3 at some point ? I think > it would be pretty easy work based on the registry stuff > that's been done lately. If you think this would be a > useful feature for scheduling services on a Samba host, > let me know. Absolutely!!! Yes, please. I've dreamed of this many times. > Disclaimer: I've never used this feature on Windows except > out of my own curiousity. Even a utility mode in SMB client to schedule tasks on Windows clients would be terribly handy (like the windows at and atq command line tools). -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Openldap + Samba 3 PDC
> I'm trying to get Samba up but I can't seem to get the LDAP connection > working correctly. I can run a search from ldapsearch, but samba is > complaining that it can't connect. Can you actually do an ldapsearch? NOT ANONYMOUSLY but binding as the DN the DC will use? > Here's the error from log.smbd > [2004/12/29 16:04:04, 0] lib/smbldap.c:smbldap_connect_system(850) > failed to bind to server with dn= cn=Manager Error: Invalid > credentials Your DCs bind DN is "cn=Manager"? It think you forgot to setup this part. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Re: Choosing hardware for a Samba based home media server
> Adam's presentation on XFS should clear up some of those questions... > ftp://ftp.kalamazoolinux.org/pub/pdf/XFS.pdf > 1) Fast for lots of files > 2) Fast for big files 2.5) Efficient for very small files > 2) Native ACL support > 3) Samba team recommended > 4) Built in storage management tools - backup / restore -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Re: Choosing hardware for a Samba based home media server
> > Seems like a pretty light-weight load to me. I dare say a 1GHz CPU and IDE > disk could do that! > > XFS filesystem will be a plus for any server, media server included. > Couldn't help myself but why is XFS a plus for any server? Why do you > recomend XFS specifically? ftp://ftp.kalamazoolinux.org/pub/pdf/XFS.pdf -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Pdf printer by mail with samba 3.0.9-1
> > Is anyone has set a samba mail pdf printer with ADS athentification ? How > > can I setup samba for that ? Same as setting up samba for anything. The "mail pdf printer" is just a printer as far as Samba is concerned, queing the job just happens to invoke a script that does the ->pdf->mail thing rather than submitting it to an actual print queue. -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] automatically authenticate domain logged-on users in apache with AD/NTDOM?
> What I want is to skip the login prompt and instead authenticate using a > NTLM/Kerberos ticket... Yes. > > > What is happening between the web server & the web client? Is the > > > protocol open or reverse engineered? Can this authentication be done > > > using apache @ unix (perhaps by apache interacting with samba somehow)? > > On the server side - yes, even current versions of SASL support NTLM. > Hmm, but there's no mod_sasl around, so I don't see how that will help? No, you don't use SASL for apache, but you might for Cyrus, etc... Squid has it's own NTLM support, several mechanism exist for doing NTLM or GSSAPI via apache. http://modntlm.sourceforge.net/ http://modauthkerb.sourceforge.net/configure.html > > > Any ideas or links to more info about this would be much appreciated. > > On the UNIX/LINUX client side I think your stuck; nothing I've found > > supports it. If you in an AD domain or Kerberos environment you can > > probably do the same thing with GSSAPI. > This time I'm really not interested in unix client, only unix as server, so > this is OK, although someone here wrote about Mozillla handling at least > Kerberos... http://meta.cesnet.cz/cms/opencms/en/docs/software/devel/negotiate.html -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] RE: why does samba need "anonymous access enabled" on windows to join AD server?
> Ive asked this question several times but have not gotten an answer, can > anyone give me any clues or tell me where to read about this please?! Pulling a *GUESS* out of the air, I'd suspect it uses anonymous access to the IPC$ share to retrieve some information. Should be easy to crank up the debug level and see where it fails. (Don't have any AD here, so I can't try it). -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
