Re: [Samba] Joining a samba 3.0 domain with win2003 Server
yitzhak bar geva wrote: I run a Samba PDC under Linux with Windows 2003 domain member connected as a client with Terminal Services. The message I get at login when trying to open a remote Windows Terminal sesion is: The local policy of this system does not permit you to logon interactively. Any advice? Thanks, Yitzhak Bar Geva hello Yitzhak iirc you need to add users via the group policy editor/windows settings/security settings/local policy/user rights/allow logon through terminal services -and add users or groups i just made a group domainTS under the active directory domain and then added users to that group. then I added that group as per the above method. it seems to work for me but i am no guru regards JD - struggling with samba by example... -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Cant get linux workstations to logon using ADS domain credentials- suse 9.3
Hi guys. Im really really stuck. I can't find a working config for either Suse 9.3 (or Debian/Ubuntu) workstations to login to the ADS using kde and domain credentials (DOMAIN+user). Im getting Xsession:Login for domain+user is disabled errors in suse 9.3 Basically Im trying to use the Samba by example Abmas.london example with ADS 2k3 server integration for domain member server but with client (linux) workstations. I cant get the clients to auth with the GUI logons and I think its the pam.d/ configurations (as Im just guessing what works) . I can join workstations and a Debian member server to the AD 2k3 domain okay (wbinfo getent etc all works , kinit Administrator and net ads join work) as per the examples. But I am _desperate_ for working pam.d/ configs for workstations using either suse 9.3 or Debian sarge (or ubuntu hoary). Im cycling through distros trying to find one which works for me. Please please please someone post working pam.d directory files for suse 9.3 client workstations and or debian/ubuntu client workstations. If this all falls over, the easiest solution will be just buying a bunch of windows xp pro licences and Bills already wealthy enough... :( Thanks in advance JD -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] [Fwd: Cant get linux workstations to logon using ADS domain credentials- suse 9.3]
Hi guys. Im really really stuck. I can't find a working config for either Suse 9.3 (or Debian/Ubuntu) workstations to login to the ADS using kde and domain credentials (DOMAIN+user). Im getting Xsession:Login for domain+user is disabled errors in suse 9.3 Basically Im trying to use the Samba by example Abmas.london example with ADS 2k3 server integration for domain member server but with client (linux) workstations. I cant get the clients to auth with the GUI logons and I think its the pam.d/ configurations (as Im just guessing what works) . I can join workstations and a Debian member server to the AD 2k3 domain okay (wbinfo getent etc all works , kinit Administrator and net ads join work) as per the examples. But I am _desperate_ for working pam.d/ configs for workstations using either suse 9.3 or Debian sarge (or ubuntu hoary). Im cycling through distros trying to find one which works for me. Please please please someone post working pam.d directory files for suse 9.3 client workstations and or debian/ubuntu client workstations. If this all falls over, the easiest solution will be just buying a bunch of windows xp pro licences and Bills already wealthy enough... :( Thanks in advance JD -- = dr john dooley mbbs frcpa aka ron -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] debian pam.d/gdm working config please
Hi all. I posted a more complex message a few days ago about issues with ubuntu/debian logging on to a debian domain member server through a windows active directory server but got no reply. At this stage I want to work out for sure Ive got the ubuntu clients configured correctly. 2k3 info on ubuntu seems scarce and or non solutional for me. security= ADS winbind/pam net ads join works okay getent works as per the samba by example chapter 7. I do this on both the member server with the shares and on the ubuntu clients. Auth with active directory seems to be working... Im still having trouble getting access to the shares on the debian domain member server from the ubuntu clients though. Can someone please post debian sarge pam.d/gdm etc that is configured for winbind correctly. Ive tried sticking auth etc sufficient pam_winbind.so blindly everywhere to get the authentication and access happening correctly but I still have issues with too many logon dialogues (and also the share permissions). The examples only deal with Suse and Red Hat. Also, no matter what I do I still only get share access on the member server as read only...I can get full access only on the win2k3 server when logging on as administrator and DOMAIN+administrator is added as an admin user in smb.conf (directory and file permissions set wide open, chmod 777 -R the shared directory files, full control to domain users in 2003is there something else I should be configuring with users/groups to get full permissions???...it seems to be an issue with the ubuntu boxes but not the 2k3 server. Im going nuts with trying smb.conf variations and am currently totally confused) Thanks in advance John Dooley -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] 2k3Srv ADS, debian member server, Ubuntu workstations and no write access to share (security =ADS mode, winbind, krb5)
Hi All, Im going nuts trying to get a mixed environment going. I have a couple of problems, one related to logons and passwords which I think is a pam.d/gdm config error on my part and one where I cant get write acccess from the Ubuntu clients to the domain member server share. This is the most criticalplease help me fix this. In a nutshell: Single win 2003 Srv ADS (sp1) A single domain member server (Debian sarge box). Multiple Ubuntu/Debian workstations using gnome (hoary latest and debian sarge-stable) Using winbind kerberos method from the manual. Aiming for single sign on and having the ubuntu workstations write to (at this stage *any*) share on the debian box Basic problem is this: ubunutu boxes can see the share on the debian box but for the life of me I cannot get them write access to any of the directories (I cant get write access to files using Gedit or openoffice under gnome -I can apparently execute a logon as a domain user NEXUS+sci1 for example). Strangely I can create an empty file, rename it to .txt and then open it in Gedit (but only read only)! I am confused also because if I log on to the W2k3Server as Administrator and examine the share I have write permission and can alter files (I also have this user as an admin user in the smb.conf). I am not sure my pam.d/gdm and other pam files are right. I also get asked for auth to access the share after logging on as a domain user (which I need to fix) On the debian member server side I have set permissions on the share directory to rwx group, owner, world, chown the files to NEXUS+sci1 (my test user), chgrp to NEXUS+domain users. On the 2003ADS side I published the share and gave full control to Domain Users (I think successfully) Heres the directory thats being shared [sharefile]: drwxrwxrwx 6 sci1NEXUS+domain users 4096 2005-08-08 09:12 tmp heres a test file on the share I can only open read only no matter what I do on the debian/ubuntu workstations with gnome/gedit. Looking at permissions from the gnome workstation I get 744 User rwx, group and other r only (which seems to match the behaviour but not the permissions on the actual file on the share -i manually set them onm the share just to be sure) -rwxrwxrwx 1 NEXUS+sci1 NEXUS+domain users14 2005-08-08 09:28 krb5cc_0.txt Even more strangely I managed to open it with bluefish editor, change and SAVE it! But openoffice and gedit cant access it (openoffice gives a file does not exist error and gedit will only open it read only) As for authentication: I can join the boxes to the domain I think successfully ie - from both debian member server and ubuntu boxes execute a net ads join command, wbinfo -u,g, getent passwd and getent group okay and see all the AD users in the domain. The machines appear in the active directory computers section. Example on debian member server from getent passwd NEXUS+administrator:x:1:1:Administrator:/home/NEXUS/administrator:/bin/bash NEXUS+dl380$:x:10008:10003:dl380:/home/NEXUS/dl380_:/bin/bash NEXUS+ws1$:x:10009:10003:ws1:/home/NEXUS/ws1_:/bin/bash Im out of my depth (im on the steep part of the learning curve from windows peer to peer land)- its like there is still a block on authentication for the ubuntu boxes that I dont realise (I thought I had given appropriate access and permissions). I apologise for being pretty clueless. I have been thinking its a permissions issue relating to the ubuntu boxes not authing as the correct user or something (due to my pam.d/gdm hacking). I have posted the smb.conf from the debian member server. I can post log.smbd etc if that helps. If its too hard to fix me, can someone post a known good smb.conf and set of pam.d/ files for a debian box including (especially pam.d/gdm) else I will have to resort to two sets of users / linux and windozeThe windoze box runs a proprietary database app and will have TS sessions to that app only (plus run active directory and DNS). The linux boxes will be the workhorses for the users (openoffice etc) and open .rdp sesssions to the database as necessary. LDAP is too advanced for me. Thanks in advance: John Dooley SMB.conf # Samba config file created using SWATIm not using swat though # from 192.168.0.20 (192.168.0.20) # Date: 2005/07/22 08:34:10 # Global parameters [global] security = ads realm = INTRANET.NEXUSDOMAIN.COM encrypt passwords = yes password server = nexus01.intranet.nexusdomain.com workgroup = NEXUS winbind separator = + idmap uid = 1-2 idmap gid = 1-2 winbind enum users = yes winbind enum groups = yes winbind nested groups = yes template homedir = /home/%D/%U template shell = /bin/bash obey pam restrictions = yes password server = * log level = 2 admin users = NEXUS+administrator nt acl support = Yes map acl inherit = Yes client use
