[Samba] password validation
Hello, when using "security = server" and "encrypt passwords = yes" , user is validate using secret.tdb, password server or /etc/password? i have create diferrent password for all three above (but same username), it seems it can use all of password. i'm using samba 2.2.7, it seems the default value for "encrypt passwords" is "yes" (which is "no" in smb.conf man pages), is it correct? TIA. -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] oot: reply-to
Hello, I'm just subcribe this list and it seems when replying to mail from this list, reply goes to sender instead of the list (whic is little bit annoying). is it by default or my mail client did not handle it properly? tks. -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
RE: [Samba] Samba Authentication against NT domain
At 01:48 PM 1/9/2003 -0600, you wrote: >Try something like this... ... > ># useradd machine% --> with the dollar sign ># smbpasswd -a -m machine Is this command required? its for samba acting as PDC only. from man page : -m This option tells smbpasswd that the account being changed is a MACHINE account. Currently this is used when Samba is being used as an NT Primary Domain Controller. -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
RE: [Samba] Samba Authentication against NT domain
At 06:51 AM 1/10/2003 -0600, Troy.A Johnson wrote: >No, not in my experience. > >Since Samba (in "domain" mode) will forward all authentication requests to Correct, in fact we can have blank smbpasswd as long as account already in /etc/passwd. however, problem with this "forward" model is we need to add this samba server to allowed logon w/s in nt user account, still not similar to NT domain member :( >the PDC of the domain, it just has to join the domain (which causes the PDC >to create a machine account for the Samba server automagically). > machine account will be store in pdc (nt), not samba. -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] Exchange data with NT Wins server
Hi all, Is there any way to exchange data with wins server (nt)? i have 4 separate subnet over wan (with dedicated connection), my subnet was use samba act as wins server and other are (still) using nt wins. i know samba wins can not participate in replication, but can we tell samba to query other wins server to resolve query? (ie. something like ldap referral or dns forward). tks. -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Exchange data with NT Wins server
At 10:30 AM 1/12/2003 -0500, Christopher Barry wrote: >research these parameters: > remote announce > remote browse sync Thanks. but both options seems only provide browsing list to another subnet, not nbname-to-ip. With nt-wins to nt-wins replication, on win client, i can ping using netbios name (even if machine is on separate subnet and not listed in dns). ps: This list "style" keep breaking my mail filter and hard to reply. admin, pls add reply-to header :-) > >HTH >-C > -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
RE: [Samba] Exchange data with NT Wins server
At 05:02 PM 1/13/2003 -0500, Barry, Christopher wrote: >Mr. Beast, >Do you need this functionality from everywhere, or just from your admin workstation? >From any clients, which point its wins server to this samba wins server. >You might try adding the wins server IP of the remote subnet to your advanced TCPIP >options on the NIC in windows to see if that helps. That means we should goes to every clients (500+, no dhcp, no dynamic update of dns) :-) if we have more than 2 site, where to put the rest of wins server? > >Let me know how it goes. idealy, samba should able to resolve any query from client. it should forward request to other wins server. tks! > >-C > > -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Installing manpages?
At 08:18 PM 1/14/2003 -0800, you wrote: >Hiya! How do I, from a source install, make the manpages install? I've >got 2.2.5, and have hand-compiled for ages, but have no idea how to, as >part of the build process, install the manpages. include samba man into MANPATH. edit /etc/man.config -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] 1 Domain 2 PDC?
Is it possible to use 2 PDC on 1 samba domain to provide fault tolerrant? According to this, yes it is possible : http://www.unav.es/cti/ldap-smb/ldap-smb-2_2-howto.html But on MS NT domain it's impossible, only PDC allowed per domain. I've arround 1000 users (win and linux) on 4 different locations, and all are managed by openldap 2.1.x. It should has 4 different NT domains. What is the best way to setup fault tolerant, 1 PDC and 2 BDC per location or all PDC per location? Tks. --beast -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] Help, migrating machine account SID......
Hello, I have hundreds of w2k client on existing NT 4.0 domain. I want to migrate NT server to samba (2.2.8a) with openldap backend. Is there anyway to migrate existing client machine SID to samba server so user doesn't need to re-join the domain again? Tks. --beast -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] What makes an account is DOMAIN ADMINISTRATOR?
Hello, I'm using samba 3.0b3. How to make account for domain admins (ie. can add machine trust etc), will give unix id = 0 make it a member of domain admins? Tks. --beast -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] What makes an account is DOMAIN ADMINISTRATOR?
Friday, July 25, 2003, 2:58:54 PM, Alex wrote: > Look into the command 'net groupmap', here is where it lies. > for example net groupmap add unixgroup=domainadmins ntgroup="Domain Admins" > type=domain > this will ´map your local group domainadmins to Domain Admins, so that > windows understands it. > If you already have groupmaps set up but no groups map to them use net > groupmap modify. This is my initial map from fresh install : [EMAIL PROTECTED] root]# net groupmap list System Operators (S-1-5-32-549) -> -1 Domain Users (S-1-5-21-682855339-941891451-1873685625-513) -> -1 Replicators (S-1-5-32-552) -> -1 Guests (S-1-5-32-546) -> -1 Domain Guests (S-1-5-21-682855339-941891451-1873685625-514) -> -1 Power Users (S-1-5-32-547) -> -1 Print Operators (S-1-5-32-550) -> -1 Administrators (S-1-5-32-544) -> -1 Account Operators (S-1-5-32-548) -> -1 Domain Admins (S-1-5-21-682855339-941891451-1873685625-512) -> -1 Backup Operators (S-1-5-32-551) -> -1 Users (S-1-5-32-545) -> -1 I have root user in smbpasswd and not put his group to "Administrators" or "Domain Admins" but why it able to add machine trust from Win2k client? any explanation? Tks. --beast -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Power Users - Is it possible?
Friday, July 25, 2003, 3:52:53 PM, Felipe wrote: > On Fri, 2003-07-25 at 00:41, George Farris wrote: >> Yes thanks, sorry to upset you:-) I think we understand that now. Must >> be frustrating to what a newbie eh:-) Kind of funny. > I'm seeing many people here in this list that do not complete understand > the differences between a local group and a global (domain) group. I > have posted a message trying to clarify on this :-) >From net groupmap list command, it did not say anything about local and global group. I think samba should print different msg to diferrentiate between local and global group. --beast -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Power Users - Is it possible?
Friday, July 25, 2003, 4:39:56 PM, Felipe wrote: > On Fri, 2003-07-25 at 11:13, Beast wrote: >> > I'm seeing many people here in this list that do not complete understand >> > the differences between a local group and a global (domain) group. I >> > have posted a message trying to clarify on this :-) >> >> >From net groupmap list command, it did not say anything about local >> and global group. >> I think samba should print different msg to diferrentiate between >> local and global group. > If Samba is acting as a domain controller (PDC), then it will only > mantain global groups. Local groups are only available on workstations > and member servers. This is incorrect. This is my smb.conf (Its PDC) : [global] netbios name = LINJKT workgroup = DJKT server string = %L on Samba Server %v passdb backend = smbpasswd, guest os level = 64 preferred master = yes domain master = yes local master = yes security = user encrypt passwords = yes domain logons = yes This is output of net groupmap list: System Operators (S-1-5-32-549) -> -1 Domain Users (S-1-5-21-682855339-941891451-1873685625-513) -> -1 Replicators (S-1-5-32-552) -> -1 Guests (S-1-5-32-546) -> -1 Domain Guests (S-1-5-21-682855339-941891451-1873685625-514) -> -1 Power Users (S-1-5-32-547) -> -1 Print Operators (S-1-5-32-550) -> -1 Administrators (S-1-5-32-544) -> -1 Account Operators (S-1-5-32-548) -> -1 Domain Admins (S-1-5-21-682855339-941891451-1873685625-512) -> -1 Backup Operators (S-1-5-32-551) -> -1 Users (S-1-5-32-545) -> -1 Even in NT 4.0 PDC, there's still local group by default. The nice thing is in NT User manager for domain, it diferrentiate the local and global group by icon. Samba should also has this feature (if possible :)) --beast -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] What makes an account is DOMAIN ADMINISTRATOR?
Friday, July 25, 2003, 3:58:57 PM, Beast wrote: > Friday, July 25, 2003, 2:58:54 PM, Alex wrote: >> Look into the command 'net groupmap', here is where it lies. >> for example net groupmap add unixgroup=domainadmins ntgroup="Domain Admins" >> type=domain >> this will ´map your local group domainadmins to Domain Admins, so that >> windows understands it. >> If you already have groupmaps set up but no groups map to them use net >> groupmap modify. > This is my initial map from fresh install : > [EMAIL PROTECTED] root]# net groupmap list > System Operators (S-1-5-32-549) -> -1 > Domain Users (S-1-5-21-682855339-941891451-1873685625-513) -> -1 > Replicators (S-1-5-32-552) -> -1 > Guests (S-1-5-32-546) -> -1 > Domain Guests (S-1-5-21-682855339-941891451-1873685625-514) -> -1 > Power Users (S-1-5-32-547) -> -1 > Print Operators (S-1-5-32-550) -> -1 > Administrators (S-1-5-32-544) -> -1 > Account Operators (S-1-5-32-548) -> -1 > Domain Admins (S-1-5-21-682855339-941891451-1873685625-512) -> -1 > Backup Operators (S-1-5-32-551) -> -1 > Users (S-1-5-32-545) -> -1 > I have root user in smbpasswd and not put his group to > "Administrators" or "Domain Admins" but why it able to add machine > trust from Win2k client? any explanation? > Tks. Another problem :( I create ordinary unix user, put in smbadmin unix group. smbadmin:x:999:beast I create machine trust account (in unix and smbpasswd) [EMAIL PROTECTED] root]# pdbedit -L beast:500: trg02$:501: I map "smbadmin" to "Domain Admins" ntgroup : Domain Admins (S-1-5-21-682855339-941891451-1873685625-512) -> smbadmin >From Win2000, I can not joint this client to domain with user "beast", it says : Login failure: unknown username or bad password. (FYI, I can login using beast on Win98 client, so no pb in username/password) So, what is exactly requirement for Domain admins? --beast -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Power Users - Is it possible?
Friday, July 25, 2003, 5:09:31 PM, Felipe wrote: > On Fri, 2003-07-25 at 11:54, Beast wrote: >> > If Samba is acting as a domain controller (PDC), then it will only >> > mantain global groups. Local groups are only available on workstations >> > and member servers. >> >> This is incorrect. >> This is my smb.conf (Its PDC) : > Well, local groups do exist in domain controllers, but they are shared Yes :=) > between domain controllers exclusively. That is, a domain workstation > does have its own "Power Users" local group, which is totally different > from the "Power Users" local group of the domain controllers. That's why it called "Local" :=) --beast -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] What makes an account is DOMAIN ADMINISTRATOR?
Friday, July 25, 2003, 5:30:00 PM, Felipe wrote: >> >> So, what is exactly requirement for Domain admins? > To be able to join a Windows XP/2000 computer to a Samba Domain, during > the process you must supply a Samba user that is mapped to UID=0 on your > Samba server. > The easiest way is to create an "Administrator" user in Samba and assign > it a UID of 0. Then, when joining your Windows machine to the domain, > use that "Administrator" user. Tks felipe, But why it needs to be root (or uid=0), is it because it needs to open /etc/samba/smbpasswd? What if i'm using ldap, can I use ordinary user and bind as ldapmanager? This is required for me because I will use ldap backend but I don't want to create root account in ldap which if it's compromised, it can do anything to *all* workstation. Tks again. --beast -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] What makes an account is DOMAIN ADMINISTRATOR?
Friday, July 25, 2003, 6:31:30 PM, Felipe wrote: > On Fri, 2003-07-25 at 12:41, Beast wrote: >> >> This is required for me because I will use ldap backend but I don't >> want to create root account in ldap which if it's compromised, it can >> do anything to *all* workstation. > Sincerely, I don't know why the "Administrator" user must have a UID of > 0, but I know that it's always needed, even when you're using the > LDAPSAM backend. > In fact, I'm using the LDAPSAM backend of Samba 3.0 beta 3 and it's a > requisite that the user you use to join the machine to the domain > (normally, Administrator) has a UID of cero. > To secure you "Administrator" Samba user, assign it a UID of 0, a > different password from your "root" unix user, I have to enable "ldap passwd sync", so assigning diferrent passwd will not be the good solutions... > and specify "/dev/null" > as the home directory and login shell. Aah yes, why i'm so dumb? :=) Create user administrator with uid=0 but doesn't have home directory and valid shell. root will be local on each server, Tks felipe, you're my hero :-) --beast -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] smbpasswd and LDAP
Hello, Is it possible to use smbpasswd command to add necessary objectclasses and attributes to existing ldap entries which contain only posix account?? I got invalid DN syntax when adding smbuser using smbpasswd : - [EMAIL PROTECTED] root]# smbpasswd -a beast New SMB password: Retype new SMB password: failed to add domain dn= sambaDomainName=DJKT,dc=mydomain,dc=com with: Invalid DN syntax invalid DN Adding domain info for DJKT failed with NT_STATUS_UNSUCCESSFUL failed to add user dn= uid=beast,ou=people,"dc=mydomain,dc=com" with: Invalid DN syntax invalid DN failed to modify/add user with uid = beast (dn = uid=beast,ou=people,"dc=mydomain,dc=com") Failed to add entry for user beast. Failed to modify password entry for user beast I have necessary ldap entry under ou=people,ou=mysite,dc=mydomain,dc=com. --beast -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Intranet on Samba?
Saturday, July 26, 2003, 12:04:30 PM, StewartConnor wrote: > Question: > When creating an "Intranet"--a secure private net that connects to nodes over > the internet-- > How does Samba fit in? > Are there aids to doing just this within the Samba platform, is "Intranet" > something that is done independent of the Samba platform?? Use VPN to connect and login to intranet from anywhere. --beast -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba