Re: [Samba] samba 3.4.2 centos with ldap 2.4.11 stucks
Sorry, don't have a BDC running in test environment. Kent - Original Message - From: "Martin Hochreiter" To: "Kent Nasveschuk" Cc: samba@lists.samba.org Sent: Thursday, October 15, 2009 10:10:17 AM GMT -05:00 US/Canada Eastern Subject: Re: [Samba] samba 3.4.2 centos with ldap 2.4.11 stucks Hi Kent, yes - our PDC is running the same combination - without any problems, and on that BDC machine (that I have completely reinstalled to eliminate other errors) I have that confusing daemon problems ... regard > I have the same setup Centos5.3, Samba3.4.2, OpenLDAP 2.4.11 (running on > 127.0.0.1). Those entries show up in individual machine logs, there are no > problems that I can see between OpenLDAP and Samba. > > smb.conf: > ... > log file = /opt/samba-3.4.2/var/log/samba.%m > ... > > Kent > > - Original Message - > From: "Martin Hochreiter" > To: samba@lists.samba.org > Sent: Thursday, October 15, 2009 8:51:25 AM GMT -05:00 US/Canada Eastern > Subject: [Samba] samba 3.4.2 centos with ldap 2.4.11 stucks > > Hi! > > We are using Samba 3.4.2 from sernet on a centos 5.3 box with > ldap 2.4.11 as db. > > I have very heavy problems with the smbd daemon. > If I set the smb.conf to the local ldap > via ldapsam:ldap://127.0.0.1 or just ldapsam > > # LDAP SETTINGS > ldap admin dn="uid=Admin,ou=Users,dc=xxx,dc=xxx" > ldap ssl = no > passdb backend = ldapsam:ldap://127.0.0.1 > ldap delete dn = no > ldap user suffix = ou=Users > ldap group suffix = ou=Groups > ldap machine suffix = ou=Clients > ldap suffix = dc=fh-stpoelten,dc=ac.at > ldap passwd sync = yes > > the smbd daemon stucks while connecting to it (see "non working log") > I have to kill -9 the daemons > > If I use the same 3.4.2 ldap externally from a similar centos 5.3 machine > the the connection works without problems (see "working log") > > You can query the local ldap with the ldaptools in various ways and you > get the correct response (with the credentials stored to the .tdb) > > - does anyone has a hint for me? > > regards > Maritn > > > > > > Non working log (debug 2): > > > [2009/10/15 14:42:59, 2] smbd/server.c:676(smbd_parent_loop) > waiting for connections > [2009/10/15 14:43:02, 2] smbd/sesssetup.c:1360(setup_new_vc_session) > setup_new_vc_session: New VC == 0, if NT4.x compatible we would close > all old resources. > [2009/10/15 14:43:02, 2] lib/smbldap.c:856(smbldap_open_connection) > smbldap_open_connection: connection opened > [2009/10/15 14:43:02, 2] passdb/pdb_ldap.c:571(init_sam_from_ldap) > init_sam_from_ldap: Entry found for user: nsc > [2009/10/15 14:43:02, 2] passdb/pdb_ldap.c:2353(init_group_from_ldap) > init_group_from_ldap: Entry found for group: 999 > [2009/10/15 14:43:02, 2] passdb/pdb_ldap.c:2353(init_group_from_ldap) > init_group_from_ldap: Entry found for group: 999 > [2009/10/15 14:43:02, 2] passdb/pdb_ldap.c:2353(init_group_from_ldap) > init_group_from_ldap: Entry found for group: 999 > [2009/10/15 14:43:02, 2] passdb/pdb_ldap.c:2353(init_group_from_ldap) > init_group_from_ldap: Entry found for group: 1003 > [2009/10/15 14:43:02, 2] auth/auth.c:310(check_ntlm_password) > check_ntlm_password: authentication for user [nsc] -> [nsc] -> [nsc] > succeeded > > > > > > > Working log (debug 2): > > > [2009/10/15 14:45:41, 2] smbd/sesssetup.c:1360(setup_new_vc_session) > setup_new_vc_session: New VC == 0, if NT4.x compatible we would close > all old resources. > [2009/10/15 14:45:41, 2] lib/smbldap.c:856(smbldap_open_connection) > smbldap_open_connection: connection opened > [2009/10/15 14:45:41, 2] passdb/pdb_ldap.c:571(init_sam_from_ldap) > init_sam_from_ldap: Entry found for user: nsc > [2009/10/15 14:45:41, 2] passdb/pdb_ldap.c:2353(init_group_from_ldap) > init_group_from_ldap: Entry found for group: 999 > [2009/10/15 14:45:41, 2] passdb/pdb_ldap.c:2353(init_group_from_ldap) > init_group_from_ldap: Entry found for group: 999 > [2009/10/15 14:45:41, 2] passdb/pdb_ldap.c:2353(init_group_from_ldap) > init_group_from_ldap: Entry found for group: 999 > [2009/10/15 14:45:41, 2] passdb/pdb_ldap.c:2353(init_group_from_ldap) > init_group_from_ldap: Entry found for group: 1003 > [2009/10/15 14:45:41, 2] auth/auth.c:310(check_ntlm_password) > check_ntlm_password: authentication for user [nsc] -> [nsc] -> [nsc] > succeeded > [2009/10/15 14:45:41, 2] passdb/pdb_ldap.c:2353(init_group_from_ldap) > init_group_from_ldap: Entry found for group: 998 > [2009/10/15 14:45:41, 2] passdb/pdb_ldap.c:571(init_sam_from_lda
Re: [Samba] samba 3.4.2 centos with ldap 2.4.11 stucks
I have the same setup Centos5.3, Samba3.4.2, OpenLDAP 2.4.11 (running on 127.0.0.1). Those entries show up in individual machine logs, there are no problems that I can see between OpenLDAP and Samba. smb.conf: ... log file = /opt/samba-3.4.2/var/log/samba.%m ... Kent - Original Message - From: "Martin Hochreiter" To: samba@lists.samba.org Sent: Thursday, October 15, 2009 8:51:25 AM GMT -05:00 US/Canada Eastern Subject: [Samba] samba 3.4.2 centos with ldap 2.4.11 stucks Hi! We are using Samba 3.4.2 from sernet on a centos 5.3 box with ldap 2.4.11 as db. I have very heavy problems with the smbd daemon. If I set the smb.conf to the local ldap via ldapsam:ldap://127.0.0.1 or just ldapsam # LDAP SETTINGS ldap admin dn="uid=Admin,ou=Users,dc=xxx,dc=xxx" ldap ssl = no passdb backend = ldapsam:ldap://127.0.0.1 ldap delete dn = no ldap user suffix = ou=Users ldap group suffix = ou=Groups ldap machine suffix = ou=Clients ldap suffix = dc=fh-stpoelten,dc=ac.at ldap passwd sync = yes the smbd daemon stucks while connecting to it (see "non working log") I have to kill -9 the daemons If I use the same 3.4.2 ldap externally from a similar centos 5.3 machine the the connection works without problems (see "working log") You can query the local ldap with the ldaptools in various ways and you get the correct response (with the credentials stored to the .tdb) - does anyone has a hint for me? regards Maritn Non working log (debug 2): [2009/10/15 14:42:59, 2] smbd/server.c:676(smbd_parent_loop) waiting for connections [2009/10/15 14:43:02, 2] smbd/sesssetup.c:1360(setup_new_vc_session) setup_new_vc_session: New VC == 0, if NT4.x compatible we would close all old resources. [2009/10/15 14:43:02, 2] lib/smbldap.c:856(smbldap_open_connection) smbldap_open_connection: connection opened [2009/10/15 14:43:02, 2] passdb/pdb_ldap.c:571(init_sam_from_ldap) init_sam_from_ldap: Entry found for user: nsc [2009/10/15 14:43:02, 2] passdb/pdb_ldap.c:2353(init_group_from_ldap) init_group_from_ldap: Entry found for group: 999 [2009/10/15 14:43:02, 2] passdb/pdb_ldap.c:2353(init_group_from_ldap) init_group_from_ldap: Entry found for group: 999 [2009/10/15 14:43:02, 2] passdb/pdb_ldap.c:2353(init_group_from_ldap) init_group_from_ldap: Entry found for group: 999 [2009/10/15 14:43:02, 2] passdb/pdb_ldap.c:2353(init_group_from_ldap) init_group_from_ldap: Entry found for group: 1003 [2009/10/15 14:43:02, 2] auth/auth.c:310(check_ntlm_password) check_ntlm_password: authentication for user [nsc] -> [nsc] -> [nsc] succeeded Working log (debug 2): [2009/10/15 14:45:41, 2] smbd/sesssetup.c:1360(setup_new_vc_session) setup_new_vc_session: New VC == 0, if NT4.x compatible we would close all old resources. [2009/10/15 14:45:41, 2] lib/smbldap.c:856(smbldap_open_connection) smbldap_open_connection: connection opened [2009/10/15 14:45:41, 2] passdb/pdb_ldap.c:571(init_sam_from_ldap) init_sam_from_ldap: Entry found for user: nsc [2009/10/15 14:45:41, 2] passdb/pdb_ldap.c:2353(init_group_from_ldap) init_group_from_ldap: Entry found for group: 999 [2009/10/15 14:45:41, 2] passdb/pdb_ldap.c:2353(init_group_from_ldap) init_group_from_ldap: Entry found for group: 999 [2009/10/15 14:45:41, 2] passdb/pdb_ldap.c:2353(init_group_from_ldap) init_group_from_ldap: Entry found for group: 999 [2009/10/15 14:45:41, 2] passdb/pdb_ldap.c:2353(init_group_from_ldap) init_group_from_ldap: Entry found for group: 1003 [2009/10/15 14:45:41, 2] auth/auth.c:310(check_ntlm_password) check_ntlm_password: authentication for user [nsc] -> [nsc] -> [nsc] succeeded [2009/10/15 14:45:41, 2] passdb/pdb_ldap.c:2353(init_group_from_ldap) init_group_from_ldap: Entry found for group: 998 [2009/10/15 14:45:41, 2] passdb/pdb_ldap.c:571(init_sam_from_ldap) init_sam_from_ldap: Entry found for user: Admin [2009/10/15 14:45:41, 2] passdb/pdb_ldap.c:571(init_sam_from_ldap) init_sam_from_ldap: Entry found for user: Admin [2009/10/15 14:45:41, 1] smbd/service.c:1047(make_connection_snum) 10.222.0.240 (10.222.0.240) connect to service netlogon initially as user nsc (uid=1746, gid=999) (pid 3061) -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] sambaShare used?
Just curious, is sambaShare objectClass used by Samba 3.4.2? Currently testing Samba 3.4.2 with OpenLDAP 2.4.11 backend in test environment. Couldn't find out much about it other than it has 2 attributes and is part of the samba.schema. Thanks Kent -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] invalid computer name when accessing a Samba server from a Samba client
Andrew Masterson wrote: > > Does the NAS have a machine account in the domain? > Yes, I can see an account named ho-nas01 in the "Computers" folder in AD. - -- Kent Tong Wicket tutorials freely available at http://www.agileskills2.org/EWDW Axis2 tutorials freely available at http://www.agileskills2.org/DWSAA -- View this message in context: http://www.nabble.com/invalid-computer-name-when-accessing-a-Samba-server-from-a-Samba-client-tp25608649p25655616.html Sent from the Samba - General mailing list archive at Nabble.com. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] invalid computer name when accessing a Samba server from a Samba client
Hi, I am trying to access a Samba server (a NAS, actually, a Level One FNS 7000B). However, it will only return an error NT_STATUS_INVALID_COMPUTER_NAME. Below is the output of some test commands. Thanks in advance for any help! r...@hoadms004:/etc/network# smbclient -L //ho-nas01 Password: Anonymous login successful Domain=[CPTTM] OS=[Unix] Server=[Samba 3.0.20b] Sharename Type Comment - --- ... vm Disk IPC$IPC IPC Service (HO-NAS01) ADMIN$ IPC IPC Service (HO-NAS01) Anonymous login successful Domain=[CPTTM] OS=[Unix] Server=[Samba 3.0.20b] Server Comment ---- HO-NAS01 HO-NAS01 WorkgroupMaster ---- CPTTMHO-NAS01 DOMAIN BACKUP01 WORKGROUPCPTTM r...@hoadms004:/etc/network# smbclient //HO-NAS01/vm -W CPTTM -U vmadmin -d3 lp_load: refreshing parameters Initialising global parameters params.c:pm_process() - Processing configuration file "/etc/samba/smb.conf" Processing section "[global]" added interface ip=172.18.19.53 bcast=172.18.19.255 nmask=255.255.255.0 Client started (version 3.0.28a). resolve_lmhosts: Attempting lmhosts lookup for name HO-NAS01<0x20> resolve_wins: Attempting wins lookup for name HO-NAS01<0x20> resolve_wins: WINS server resolution selected and no WINS servers listed. resolve_hosts: Attempting host lookup for name HO-NAS01<0x20> Connecting to 172.18.20.11 at port 445 Password: r_candy Disk Doing spnego session setup (blob length=102) got OID=1 2 840 113554 1 2 2 got OID=1 2 840 48018 1 2 2k got OID=1 3 6 1 4 1 311 2 2 10 got principal=cifs/ho-na...@cpttm.org.mo Got challenge flags:Disk Got NTLMSSP neg_flags=0x60898215 NTLMSSP: Set final flags:isk Got NTLMSSP neg_flags=0x60088215 NTLMSSP Sign/Seal - Initialising with flags: Got NTLMSSP neg_flags=0x60088215 SPNEGO login failed: Invalid computer name session setup failed: NT_STATUS_INVALID_COMPUTER_NAME - -- Kent Tong Wicket tutorials freely available at http://www.agileskills2.org/EWDW Axis2 tutorials freely available at http://www.agileskills2.org/DWSAA -- View this message in context: http://www.nabble.com/invalid-computer-name-when-accessing-a-Samba-server-from-a-Samba-client-tp25608649p25608649.html Sent from the Samba - General mailing list archive at Nabble.com. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] migrating Samba PDC to a new server
Squeezer99 wrote: > > it should work ok. make sure to run net getlocalsid and net > getdomainsid and write them down and on the new server do net > setlocalsid and net setdomainsid if they are different. > Thanks! - -- Kent Tong Wicket tutorials freely available at http://www.agileskills2.org/EWDW Axis2 tutorials freely available at http://www.agileskills2.org/DWSAA -- View this message in context: http://www.nabble.com/migrating-Samba-PDC-to-a-new-server-tp22861046p22900728.html Sent from the Samba - General mailing list archive at Nabble.com. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] migrating Samba PDC to a new server
Hi, I'd like to migrate Samba 3.0.24-6etch10 PDC running on a Debian server to a new Ubuntu server. I plan to install Samba 3.0.28a-1ubuntu4.4 on the new server and then copy the files in /etc/samba and /var/lib/samba and copy the related Linux users in /etc/passwd and /etc/shadow. Will it work? Thanks in advance! - -- Kent Tong Wicket tutorials freely available at http://www.agileskills2.org/EWDW Axis2 tutorials freely available at http://www.agileskills2.org/DWSAA -- View this message in context: http://www.nabble.com/migrating-Samba-PDC-to-a-new-server-tp22861046p22861046.html Sent from the Samba - General mailing list archive at Nabble.com. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
RE: [Samba] Where does Windows get the samba name to put into the Network Share name?
Thank you all. Clearing out the registry did the trick. I was even able to set the server name to WHATEVER in the smb.conf file and got "WHATEVER" to come through. Kent -Original Message- From: Tom Crummey [mailto:t...@ee.ucl.ac.uk] Sent: Wednesday, February 11, 2009 2:03 AM To: Cross, Kent G (US SSA) Subject: Re: [Samba] Where does Windows get the samba name to put into the Network Share name? Hello, It's in the registry on the PC. Cross, Kent G (US SSA) wrote: > I have upgraded our sun server from samba 3.0.20b to version 3.2.4. If I > type "smb -V" on the sun, I get the proper version number of "Version > 3.2.4". When I map a network drive from my PC to a share named "home1" > on the sun, the PC mount point is named "home1 on 'Samba 3.0.20b > (server)'. I have unmapped all drives and re-mapped them with the same > result. > > > > Where is my PC getting the older version number from? I copied the > private folder, smb.conf, and smbpasswd from the old version to the new > install location. Could it be getting "Samba 3.0.20b" from one of these > files? > > > > Thanks in Advance > > > > > -- Tom. -- Tom Crummey, Systems and Network Manager,EMAIL: t...@ee.ucl.ac.uk Dept. of Electronic and Electrical Engineering, University College London, Roberts Building, TEL: +44 (0)20 7679 3898 Torrington Place, FAX: +44 (0)20 7388 9325 London, UK, WC1E 7JE. -- -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Where does Windows get the samba name to put into the Network Share name?
I have upgraded our sun server from samba 3.0.20b to version 3.2.4. If I type "smb -V" on the sun, I get the proper version number of "Version 3.2.4". When I map a network drive from my PC to a share named "home1" on the sun, the PC mount point is named "home1 on 'Samba 3.0.20b (server)'. I have unmapped all drives and re-mapped them with the same result. Where is my PC getting the older version number from? I copied the private folder, smb.conf, and smbpasswd from the old version to the new install location. Could it be getting "Samba 3.0.20b" from one of these files? Thanks in Advance -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] conceptual question regarding file ownership and uid
Hi, For a samba member server s1 that uses the built-in user mapping (ie, no winbind), if a domain user DOM\u1 creates a file on the server, it will be owned by the local u1 user on the server, right? What if a user is using explorer on a Windows client to view its ownership, will it appear as s1\u1 or DOM\u1? How to ensure that it is the latter? Thanks! - -- Kent Tong Wicket tutorials freely available at http://www.agileskills2.org/EWDW Axis2 tutorials freely available at http://www.agileskills2.org/DWSAA -- View this message in context: http://www.nabble.com/conceptual-question-regarding-file-ownership-and-uid-tp20315417p20315417.html Sent from the Samba - General mailing list archive at Nabble.com. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Re: schannel_store.tdb appearing in /etc/samba
Steve Granger magellan-technology.com> writes: > smbd -b | less > > to see the private_dir and other file location. From my knowledge these > are set with compile time options. Thanks! Got this: SBINDIR: /usr/sbin BINDIR: /usr/bin SWATDIR: /usr/share/samba/swat CONFIGFILE: /etc/samba/smb.conf LOGFILEBASE: /var/log/samba LMHOSTSFILE: /etc/samba/lmhosts LIBDIR: /usr/lib/samba SHLIBEXT: so LOCKDIR: /var/run/samba PIDDIR: /var/run/samba SMB_PASSWD_FILE: /etc/samba/smbpasswd PRIVATE_DIR: /etc/samba /var/lib/samba is not one of them, but why are those .tdb files put into there (instead of /etc/samba)? Does it make sense to set the private dir to /etc/samba? If not, I'll file a bug report to Debian. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] schannel_store.tdb appearing in /etc/samba
Hi,
I just upgrade from Debian Sarge to Etch. Now, while Samba (3.0.24-6etch4) is
running, it creates the schannel_store.tdb /etc/samba. However, it should
really store it into the "private dir", which is supposed to be /var/lib/samba
as I see files like passdb.tdb in there. Any idea what's going on?
In addition, "private dir" is not defined in smb.conf. I don't know how it
gets defaulted to /var/lib/samba. The man page says it defaults to
${prefix}/private. Obviously this is not the case.
In addition, I can't find where "prefix" is defined in the man page.
Any help? Thanks!
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Re: Repost: Can't follow DFS link
Jim McDonough samba.org> writes: > > On 6/1/07, Kent Tong cpttm.org.mo> wrote: > > > smb_flg2=51203 > > > Kent, I know you already rebooted the client since we discussed this before > (though did you reboot the terminal server?). This flags2 value is 0xC803, > and we need to see the 0x1000 bit on before we recognize that the client is > interested in DFS pathnames. So now comes the tricky part...why is this > client different from your other client that works? I've tried it on three clients: two Win2K pro and one Win2K terminal server. Only one Win2K pro works. All have been rebooted. > Can you give me > anything on how you connected, security environment (ADS vs USER vs DOMAIN), > or even how you specified the server address (netbios name, dns name, ip > address)? These can all play a role, unfortunately, in how a window client > decides to ask for DFS referrals. We're in a Win2K AD domain. The DFS host (samba) is using user security and have the user accounts in the samba password DB (yes, we duplicated the user accounts from AD and it works fine). The share is access using netbios name. I just tried accessing it using IP and it works! What can I do in that case? -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Repost: Can't follow DFS link
Hi, I am using 3.0.22 on Ubuntu 6.06. I'm trying to setup a DFS root. Here is the smb.conf share section: My smb.conf file is: [global] # use default ; security = user host msdfs = yes [Share] path=/var/Share writable=yes msdfs root=yes The dfs link is: # ls -l /var/Share/Data/2007/OfficeAdmin/pdf lrwxrwxrwx 1 root root 19 2007-05-23 09:14 /var/Share/Data/2007/OfficeAdmin/pdf -> msdfs:cladms004\pdf All the clients have been rebooted. They can all connect to \\cladms004\pdf directly. On one Win2K client the DFS link works fine. But on another Win2K client and a Win2K terminal server, I can't go into the "pdf" folder. I can see the "pdf" folder inside the share. But when I try to go into the "pdf" folder, Windows says the folder is inaccessible. The level 10 log is: [2007/05/28 17:24:14, 10] lib/util_sock.c:read_smb_length_return_keepalive(618) got smb length of 128 [2007/05/28 17:24:14, 6] smbd/process.c:process_smb(1193) got message type 0x0 of len 0x80 [2007/05/28 17:24:14, 3] smbd/process.c:process_smb(1194) Transaction 257270 of length 132 [2007/05/28 17:24:14, 5] lib/util.c:show_msg(454) [2007/05/28 17:24:14, 5] lib/util.c:show_msg(464) size=128 smb_com=0x32 smb_rcls=0 smb_reh=0 smb_err=0 smb_flg=24 smb_flg2=51203 smb_tid=10 smb_pid=2264 smb_uid=187 smb_mid=9153 smt_wct=15 smb_vwv[ 0]= 60 (0x3C) smb_vwv[ 1]=0 (0x0) smb_vwv[ 2]=2 (0x2) smb_vwv[ 3]= 40 (0x28) smb_vwv[ 4]=0 (0x0) smb_vwv[ 5]=0 (0x0) smb_vwv[ 6]=0 (0x0) smb_vwv[ 7]=0 (0x0) smb_vwv[ 8]=0 (0x0) smb_vwv[ 9]= 60 (0x3C) smb_vwv[10]= 68 (0x44) smb_vwv[11]=0 (0x0) smb_vwv[12]=0 (0x0) smb_vwv[13]=1 (0x1) smb_vwv[14]=5 (0x5) smb_bcc=63 [2007/05/28 17:24:14, 10] lib/util.c:dump_data(2058) [000] 00 00 00 EC 03 00 00 00 00 5C 00 44 00 61 00 74 .\.D.a.t [010] 00 61 00 5C 00 32 00 30 00 30 00 37 00 5C 00 4F .a.\.2.0 .0.7.\.O [020] 00 66 00 66 00 69 00 63 00 65 00 41 00 64 00 6D .f.f.i.c .e.A.d.m [030] 00 69 00 6E 00 5C 00 70 00 64 00 66 00 00 00 .i.n.\.p .d.f... [2007/05/28 17:24:14, 3] smbd/process.c:switch_message(993) switch message SMBtrans2 (pid 3864) conn 0x83ed558 [2007/05/28 17:24:14, 4] smbd/uid.c:change_to_user(222) change_to_user: Skipping user change - already user [2007/05/28 17:24:14, 3] smbd/trans2.c:call_trans2qfilepathinfo(2861) call_trans2qfilepathinfo: TRANSACT2_QPATHINFO: level = 1004 [2007/05/28 17:24:14, 5] smbd/filename.c:unix_convert(108) unix_convert called on file "Data/2007/OfficeAdmin/pdf" [2007/05/28 17:24:14, 10] smbd/statcache.c:stat_cache_lookup(215) stat_cache_lookup: lookup failed for name [DATA/2007/OFFICEADMIN/PDF] [2007/05/28 17:24:14, 10] smbd/statcache.c:stat_cache_lookup(248) stat_cache_lookup: lookup succeeded for name [DATA/2007/OFFICEADMIN] -> [Data/2007/OfficeAdmin] [2007/05/28 17:24:14, 5] smbd/filename.c:unix_convert(185) unix_convert begin: name = Data/2007/OfficeAdmin/pdf, dirpath = Data/2007/Offi ceAdmin, start = pdf [2007/05/28 17:24:14, 10] smbd/mangle_hash2.c:is_mangled(276) is_mangled pdf ? [2007/05/28 17:24:14, 10] smbd/mangle_hash2.c:is_mangled_component(215) is_mangled_component pdf (len 3) ? [2007/05/28 17:24:14, 10] smbd/mangle_hash2.c:is_mangled(276) is_mangled pdf ? [2007/05/28 17:24:14, 10] smbd/mangle_hash2.c:is_mangled_component(215) is_mangled_component pdf (len 3) ? [2007/05/28 17:24:14, 5] smbd/statcache.c:stat_cache_add(140) stat_cache_add: Added entry (83e4d88:size1a) DATA/2007/OFFICEADMIN/PDF -> Data /2007/OfficeAdmin/pdf [2007/05/28 17:24:14, 5] smbd/statcache.c:stat_cache_add(140) stat_cache_add: Added entry (83e4d88:size1a) DATA/2007/OFFICEADMIN/PDF -> Data /2007/OfficeAdmin/pdf [2007/05/28 17:24:14, 5] smbd/filename.c:unix_convert(400) conversion finished Data/2007/OfficeAdmin/pdf -> Data/2007/OfficeAdmin/pdf [2007/05/28 17:24:14, 3] smbd/trans2.c:call_trans2qfilepathinfo(2886) call_trans2qfilepathinfo: SMB_VFS_STAT of Data/2007/OfficeAdmin/pdf failed (No such file or directory) [2007/05/28 17:24:14, 10] smbd/trans2.c:set_bad_path_error(2623) set_bad_path_error: err = 2 bad_path = 0 [2007/05/28 17:24:14, 3] smbd/error.c:error_packet(146) error packet at smbd/trans2.c(2629) cmd=50 (SMBtrans2) NT_STATUS_OBJECT_NAME_NOT_FOUND -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Re: Can't follow DFS link
Jim McDonough samba.org> writes: > > On 5/22/07, Kent Tong cpttm.org.mo> wrote: > > > > Can't believe that! Rebooting does fix the problem. Thanks a lot! > > > The client remembers whether or not we're a DFS server...so you can't change > from one to the other without rebooting. Sorry, actually it works only a computer but not on another. Both computers have been rebooted. The symptom is the same: I can see the folder (the link) but when I try to change into it, it says the folder has been moved or removed. My smb.conf file is: [global] # use default ; security = user host msdfs = yes [Share] path=/var/Share writable=yes msdfs root=yes The dfs link is: # ls -l /var/Share/Data/2007/OfficeAdmin/pdf lrwxrwxrwx 1 root root 19 2007-05-23 09:14 /var/Share/Data/2007/OfficeAdmin/pdf -> msdfs:cladms004\pdf The level 10 log is: [2007/05/28 17:24:14, 10] lib/util_sock.c:read_smb_length_return_keepalive(618) got smb length of 128 [2007/05/28 17:24:14, 6] smbd/process.c:process_smb(1193) got message type 0x0 of len 0x80 [2007/05/28 17:24:14, 3] smbd/process.c:process_smb(1194) Transaction 257270 of length 132 [2007/05/28 17:24:14, 5] lib/util.c:show_msg(454) [2007/05/28 17:24:14, 5] lib/util.c:show_msg(464) size=128 smb_com=0x32 smb_rcls=0 smb_reh=0 smb_err=0 smb_flg=24 smb_flg2=51203 smb_tid=10 smb_pid=2264 smb_uid=187 smb_mid=9153 smt_wct=15 smb_vwv[ 0]= 60 (0x3C) smb_vwv[ 1]=0 (0x0) smb_vwv[ 2]=2 (0x2) smb_vwv[ 3]= 40 (0x28) smb_vwv[ 4]=0 (0x0) smb_vwv[ 5]=0 (0x0) smb_vwv[ 6]=0 (0x0) smb_vwv[ 7]=0 (0x0) smb_vwv[ 8]=0 (0x0) smb_vwv[ 9]= 60 (0x3C) smb_vwv[10]= 68 (0x44) smb_vwv[11]=0 (0x0) smb_vwv[12]=0 (0x0) smb_vwv[13]=1 (0x1) smb_vwv[14]=5 (0x5) smb_bcc=63 [2007/05/28 17:24:14, 10] lib/util.c:dump_data(2058) [000] 00 00 00 EC 03 00 00 00 00 5C 00 44 00 61 00 74 .\.D.a.t [010] 00 61 00 5C 00 32 00 30 00 30 00 37 00 5C 00 4F .a.\.2.0 .0.7.\.O [020] 00 66 00 66 00 69 00 63 00 65 00 41 00 64 00 6D .f.f.i.c .e.A.d.m [030] 00 69 00 6E 00 5C 00 70 00 64 00 66 00 00 00 .i.n.\.p .d.f... [2007/05/28 17:24:14, 3] smbd/process.c:switch_message(993) switch message SMBtrans2 (pid 3864) conn 0x83ed558 [2007/05/28 17:24:14, 4] smbd/uid.c:change_to_user(222) change_to_user: Skipping user change - already user [2007/05/28 17:24:14, 3] smbd/trans2.c:call_trans2qfilepathinfo(2861) call_trans2qfilepathinfo: TRANSACT2_QPATHINFO: level = 1004 [2007/05/28 17:24:14, 5] smbd/filename.c:unix_convert(108) unix_convert called on file "Data/2007/OfficeAdmin/pdf" [2007/05/28 17:24:14, 10] smbd/statcache.c:stat_cache_lookup(215) stat_cache_lookup: lookup failed for name [DATA/2007/OFFICEADMIN/PDF] [2007/05/28 17:24:14, 10] smbd/statcache.c:stat_cache_lookup(248) stat_cache_lookup: lookup succeeded for name [DATA/2007/OFFICEADMIN] -> [Data/2007/OfficeAdmin] [2007/05/28 17:24:14, 5] smbd/filename.c:unix_convert(185) unix_convert begin: name = Data/2007/OfficeAdmin/pdf, dirpath = Data/2007/Offi ceAdmin, start = pdf [2007/05/28 17:24:14, 10] smbd/mangle_hash2.c:is_mangled(276) is_mangled pdf ? [2007/05/28 17:24:14, 10] smbd/mangle_hash2.c:is_mangled_component(215) is_mangled_component pdf (len 3) ? [2007/05/28 17:24:14, 10] smbd/mangle_hash2.c:is_mangled(276) is_mangled pdf ? [2007/05/28 17:24:14, 10] smbd/mangle_hash2.c:is_mangled_component(215) is_mangled_component pdf (len 3) ? [2007/05/28 17:24:14, 5] smbd/statcache.c:stat_cache_add(140) stat_cache_add: Added entry (83e4d88:size1a) DATA/2007/OFFICEADMIN/PDF -> Data /2007/OfficeAdmin/pdf [2007/05/28 17:24:14, 5] smbd/statcache.c:stat_cache_add(140) stat_cache_add: Added entry (83e4d88:size1a) DATA/2007/OFFICEADMIN/PDF -> Data /2007/OfficeAdmin/pdf [2007/05/28 17:24:14, 5] smbd/filename.c:unix_convert(400) conversion finished Data/2007/OfficeAdmin/pdf -> Data/2007/OfficeAdmin/pdf [2007/05/28 17:24:14, 3] smbd/trans2.c:call_trans2qfilepathinfo(2886) call_trans2qfilepathinfo: SMB_VFS_STAT of Data/2007/OfficeAdmin/pdf failed (No such file or directory) [2007/05/28 17:24:14, 10] smbd/trans2.c:set_bad_path_error(2623) set_bad_path_error: err = 2 bad_path = 0 [2007/05/28 17:24:14, 3] smbd/error.c:error_packet(146) error packet at smbd/trans2.c(2629) cmd=50 (SMBtrans2) NT_STATUS_OBJECT_NAME_NOT_FOUND -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Re: Can't follow DFS link
Jim McDonough samba.org> writes: > Could you include a little more from globals? The "host msdfs" option, and > believe it or not, the "security" option? Is this AD? > > Also, perhaps more important, have you rebooted the client after turning on > msdfs on the server? Hi Jim, Can't believe that! Rebooting does fix the problem. Thanks a lot! -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Can't follow DFS link
Hi, I am using 3.0.22 on Ubuntu 6.06. I'm trying to setup a DFS root. Here is the smb.conf share section: [test] path=/var/test writable=yes msdfs root=yes The /var/test contains a single symlink: $ ls -l /var/test total 0 lrwxrwxrwx 1 root root 19 2007-05-22 14:56 pdf -> msdfs:cladms004\pdf On a Win2K client I can connect to \\cladms004\pdf successfully. I can also access the test share defined above. I can see the "pdf" folder inside the share. But when I try to go into the "pdf" folder, Windows says the folder is inaccessible. The level 10 debug log is shown below. Any help is much appreciated! [2007/05/22 15:33:42, 4] smbd/vfs.c:vfs_ChDir(738) vfs_ChDir to /var/test [2007/05/22 15:33:42, 3] smbd/trans2.c:call_trans2qfilepathinfo(2861) call_trans2qfilepathinfo: TRANSACT2_QPATHINFO: level = 1004 [2007/05/22 15:33:42, 5] smbd/filename.c:unix_convert(108) unix_convert called on file "pdf" [2007/05/22 15:33:42, 10] smbd/statcache.c:stat_cache_lookup(248) stat_cache_lookup: lookup succeeded for name [PDF] -> [pdf] [2007/05/22 15:33:42, 5] smbd/filename.c:unix_convert(185) unix_convert begin: name = pdf, dirpath = , start = pdf [2007/05/22 15:33:42, 10] smbd/mangle_hash2.c:is_mangled(276) is_mangled pdf ? [2007/05/22 15:33:42, 10] smbd/mangle_hash2.c:is_mangled_component(215) is_mangled_component pdf (len 3) ? [2007/05/22 15:33:42, 10] smbd/mangle_hash2.c:is_mangled(276) is_mangled pdf ? [2007/05/22 15:33:42, 10] smbd/mangle_hash2.c:is_mangled_component(215) is_mangled_component pdf (len 3) ? [2007/05/22 15:33:42, 5] smbd/statcache.c:stat_cache_add(140) stat_cache_add: Added entry (83bea58:size4) PDF -> pdf [2007/05/22 15:33:42, 5] smbd/statcache.c:stat_cache_add(140) stat_cache_add: Added entry (83bea58:size4) PDF -> pdf [2007/05/22 15:33:42, 5] smbd/filename.c:unix_convert(400) conversion finished pdf -> pdf [2007/05/22 15:33:42, 3] smbd/trans2.c:call_trans2qfilepathinfo(2886) call_trans2qfilepathinfo: SMB_VFS_STAT of pdf failed (No such file or director y) [2007/05/22 15:33:42, 10] smbd/trans2.c:set_bad_path_error(2623) set_bad_path_error: err = 2 bad_path = 0 [2007/05/22 15:33:42, 3] smbd/error.c:error_packet(146) error packet at smbd/trans2.c(2629) cmd=50 (SMBtrans2) NT_STATUS_OBJECT_NAME_N OT_FOUND -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Many msgs log.winbindd about "group xxxxx in domain yyyyy does not exist"
I am seeing many, many msgs in log.winbindd with the following text: [2006/04/14 08:54:29, 1] nsswitch/winbindd_group.c:winbindd_getgrnam(255) group system in domain AIXSAMBA does not exist Would anybody be able to point me in the right direction to determine what this is complaining about? One area I do not understand is why it is complaining about AIXSAMBA (the NETBIOS name). There is an entry in /etc/group for the "system" group (GID = 0). I do have some directories in one of the samba shares with an acl set as follows: * * ACL_type AIXC * attributes: base permissions owner(root): rwx group(win_domain_users): rwx others: r-x extended permissions enabled permit rwx g:system Environment: AIX 5.3: long names enabled (31 char including ending zero), using pam for authentication Samba 3.0.22 (compiled from source), configure options were: --with-pam --with-acl-support --with-aio-support --with-winbind smb.conf contents: [global] workgroup = ERSSECURITY netbios name = AIXSAMBA server string = Samba3 security = DOMAIN log file = /usr/local/samba/var/log.%m log level = 1 algorithmic rid base = 50 winbind uid = 11-50 winbind gid = 11-50 [denali_d] path = /samba/denali01 acl group control = yes create mask = 0775 directory mask = 2775 # force group = win_domain_cntlr # inherit acls = yes inherit permissions = yes read only = no writeable = yes guest ok = no admin users = @win_domain_admin [denali_f] path = /samba/denali02 acl group control = yes create mask = 0775 directory mask = 2775 force group = win_domain_admin # inherit acls = yes inherit permissions = yes read only = no writeable = yes guest ok = no admin users = @win_domain_admin Results from wbinfo -g: BUILTIN\system operators BUILTIN\administrators followed by all the groups in the WinNT PDC domain. Results from "net groupmap list": System Operators (S-1-5-32-549) -> win_sys_oper Replicators (S-1-5-32-552) -> -1 Guests (S-1-5-32-546) -> -1 Domain Controllers (S-1-5-21-1748253822-1525897820-1959552931-3641) -> win_domain_cntlr Domain Admins (S-1-5-21-3484108990-1107034133-219603564-512) -> win_domain_admin Domain Guests (S-1-5-21-3484108990-1107034133-219603564-514) -> -1 Power Users (S-1-5-32-547) -> -1 Domain Users (S-1-5-21-3484108990-1107034133-219603564-513) -> win_domain_users Print Operators (S-1-5-32-550) -> -1 Administrators (S-1-5-32-544) -> win_administrator Account Operators (S-1-5-32-548) -> -1 Backup Operators (S-1-5-32-551) -> -1 Users (S-1-5-32-545) -> -1 The "win_x" groups above are in the /etc/group file as: win_sys_oper:!:5001: win_domain_admin:!:5002:user1,user2,user3,user4 win_administrator:!:5003:user1,user2 win_domain_users:!:5004:user5,user6,user7,user3,user1,usert,user2,user8 win_domain_cntlr:!:5005: Thanks for any assistance/advice that y'all can provide. K Wick, Texas Emp Retirement Syst Phone: 512-867-7325 -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] AIX 52 and long (>8) character Windows usernames
Env: AIX 5.2 ML07 with Samba 3.0.21b (compiled in-house) with config options of: --with-pam --with-winbind --with-acl-support --with-aio-support Can anybody shed any light on why users that have 8 characters or less (Windows and AIX) and are defined in /etc/passwd can access the defined Samba share while those users with a Windows username of 9 characters or more (who have been defined in the "username map" file are always presented with an authentication window? Is there something that I have wrong that I am just not seeing? This Samba server is functioning as a member server in an existing Windows NT domain. smb.conf reads: [global] workgroup = ERSSECURITY netbios name = SAMBASRVR server string = Samba security = DOMAIN algorithmic rid base = 50 username map = /usr/local/samba/lib/nt_dom_2_unix_user_map ldap ssl = no idmap uid = 10001-3 idmap gid = 10001-3 winbind separator = + [denali_d] path = /samba/denali_d read only = No # guest ok = Yes The file noted in "username map" reads: brad=ERSSECURITY/bstafford mrutherf=ERSSECURITY/mrutherford sambat2=ERSSECURITY/sambatest sambat2=sambatest /etc/pam.conf reads: # Authentication # login authrequired/usr/lib/security/pam_winbind.so login authrequired/usr/lib/security/pam_aix try_first_pass # loginauthrequired/usr/lib/security/pam_aix # loginauthrequired/usr/lib/security/pam_winbind.so try_first_pass su authsufficient /usr/lib/security/pam_aix OTHER authrequired/usr/lib/security/pam_aix # # Account Mgmt # # loginaccount required/usr/lib/security/pam_aix login account sufficient /usr/lib/security/pam_winbind.so try_first_pass OTHER account required/usr/lib/security/pam_aix # # Session Mgmt # OTHER session required/usr/lib/security/pam_aix # # Password Mgmt # OTHER passwordrequired/usr/lib/security/pam_aix -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Question on AIX 5.2, Samba and NT domains
Environment: AIX 5.2 Samba 3.0.21b (compiled at this site with Visualage C/C++ 6.0) configure was run as: ./configure --prefix=/usr/local/samba --with-pam --with-acl-support --with-aio-support --with-winbind Windows environment is a mix of Windows NT domain and Novell file servers. Does anybody know of a single document or set of documents that have a "cookbook" approach to creating/modifying the necessary AIX files to work with Samba with "pam", "winbind" and NSS support as a "member server"? If I have userids in the NT domain that are longer than 8 characters, am I "effed" when trying to get them to seamlessly access Samba? AIX 5.2 and below do not allow a username or group name to have a value longer than 8 characters. Do I need a "username map" file for the long usernames? As far as I can tell, the issue of long names in NT versus limitations of some OS versions is never discussed. The "Samba3-HOWTO" document(s) in Chapter 23 talk about the compile process creating the file "libnss_winbind.so". Something changed between document and Makefile because I get a file named WINBIND automatically created. In that same chapter, it goes on to talk about verifying winbind. I can run the "wbinfo -u" and "wbinfo -g" commands just find and it returns the the users and gorups in the NT domain that Samba joined. Then the document talks about using "getent" to see both local (AIX) and PDC users and groups. Unfortunately, I don't have that one in executable form. I can see the "getent" source in the testsuite/nsswitch directory but when I compile just that program all that it returns in the local users, nothing from the PDC. If I am using Samba as a member server, do I even need to worry about integrating PAM and winbindd? Another few "nit's" in the Samba-HOWTO in "The Samba Checklist": (1) When I run the "smbclient -L sambasrvrname" (as root), it asks for a password. When I give it the root password, it comes back with "session setup failed: NT_STATUS_LOGON_FAILURE". When I just press enter in response to the password request, it responds that it connected anonymously and returns the necessary data. (2) The "nmblookup" command in step 4 needs to be clarified a bit more. When I look at a print of the web page, it sure looks like the BIGSERVER and the "__SAMBA__" are run together. For that matter, I had to go the web page source to be certain that the "__" was a double underscore and not a single. Given the way some laser printer formatting works, it is entirely possible that it could have been a single underscore. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Samba on FDC5
Anyone know what version will be on Fedora Core 5? Core 4 has 3.0.14a-2 Kent Nasveschuk -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] synchronise time
Hello, This is new to me (WPKG). I started to use a product that I had to pay for to switch users. Tell me more if you can. I've started looking at the web site documentation. Kent N > Patrick DUBAU schrieb: > > > Hi, > > > > in my logon.bat file i put : net time \\admin /SET /YES to > synchronise computer time with the server. > > This works when the user who is login in has administrator rights on > the computer. > > How can i do with users who are just "member of the domain"? Is there > a way to run this command "as administrator" ? > > Thanks for any help > > > I use WPKG for that - http://wpkg.org - (and for all other tasks needing > administrator rights, like changing printers, installing and updating > software, changing file permissions and registry entries etc.). > > > -- > Tomek > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/listinfo/samba > -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Samba as an NT5 (Win2K) PDC
Hi, I don't know who else responded to this, but there are many people out there using Samba as replacement for Win2k servers. Here's my personal involvement and a little history. I'm in a school system in Mass. where we have 7 Samba servers (1 PDC 6 BDC). I'm guessing there are about 2300+ user accounts and don't know how many computer accounts. It works well. We started with version 2.2.X on Slackware with 1 server 3 users. Graduated to RedHat 8.0/LDAP on 5 servers. This past summer every server was upgraded to Fedora Core 4 Samba 3.0.14a/passbackend LDAP 2.2.23. There is a slave LDAP server running on the BDCs because they are in different buildings. LDAP master is on a separate server than the PDC but they are in the same data closet in the same building. We did this because the LDAP master serves as a passbackend for other systems, for example: Cyrus IMAP, Moddle, SquirrelMail, other home grown applications that use LDAP for authentication. We don't use the normal tools for managing user/group accounts. We are a school system, accounts for students start in Middle School and follow them to High School. We needed to be able to bulk add, delete and modify user accounts in addition to one-at-a-time modifications, so our tools are geared towards this. Our client systems range from Win95 to XP. We use Kixtart script processor to run OS specific scripts. The howto's are a good place to start and they are pretty specific. I'd start with getting a working LDAP directory first, then move on to Samba. I can't give you any specifics, but if you are going to use LDAP determine how your directory tree will look, and get your base local/domain groups in LDAP. There are many smb.confs out there that will work as PDC. Post how things are going. Everyone's here to help. Kent N > Hi > > I am trying to find someone who can help me with configuring samba as a > Win2k PDC, I have read various How-TO's and the online reference material > but some of it has conflicting advice. I wondered if someone who has > actually managed to configure and uses samba as a Win2k PDC and logon > server > could email me to help me with this issue. > > Javid Mahdavi > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/listinfo/samba > -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Roots of Samba
Hi all, I have a class of Linux/OpenSource newbies and want to explain the origins of Samba as a typical Open Source project. My interest in Samba has grown, as well as my implementation of Samba. I started with 3 users on one server and now have ~2300 users in 10 buildings using Samba w/LDAP backend in a public school district. Anyway, I can give them my perspective, but I want them to know what an Open Source project is like. Andrew Tridgell is one of or the original developer. Can anyone give me brief history to tell the class? Thanks in advance. Kent Nasveschuk Open Source, alive and well in Wareham, MA... -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] BDC and password change program
Hi Stephane, That worked! No more password sync problems. I commented out the password program and the password chat on the BDCs. I tested the password change on a XP and Win 98 several times then checked the replicas. All the paswords are in sync as well as the posix account passwords. Thanks again Kent N > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA1 > > Hi, > > I think simply that with the parameter ldap passwd sync, the passwd > chat is not called. > The only question that I ask to me is : why changing a passwd on a BDC ? > A BDC is a backup DC, if the PDC is down, a BDC can provide > authentification. > > But, you can modifiy the smb.conf of BDC to > > passdb backend = ldapsam:"ldap://127.0.0.1 ldap://172.16.0.24"; > > kent a écrit : > >> Hi, Thanks for getting back to me so fast. >> >> >> Stéphane_Purnelle <[EMAIL PROTECTED]> wrote: >> >> > >> The LDAP server in 172.16.0.24 is the master ldap server, but on >> smb.conf of BDC, the ldap server is on localhost. If the IP adresse >> of BDC is 172.16.0.24, you must have no problem. Now, if different, >> you must configure ldap for replication. Because changing password >> on the PDC is not replicated to BDC. >> >>> PDC: 172.16.0.13 However the master ldap server is on >>> 172.16.0.24. We use LDAP for mail authentication as well as >>> OpenGoupware etc. There is no local copy >> of LDAP >>> directory on the PDC. Everthing including the operating system >> points to >>> 172.16.0.24. >> >>> All of the BDCs have replicas. I realize that authentication to a >>> >> BDC on a >>> subnet uses the pass backend which in all of my BDCs is >>> localhost. >> My problem >>> with the BDCs is the password program that I believe is changing >> the LDAP >>> replica on the BDC and not the PDC. So I end up with a password >> mismatch. >> >>> If I disable the password chat on all BDCs will password chat be >> passed on to >>> the PDC? >> >>> Thank you for your help. >> >>> Kent N >> >> The BDC not verify password with the PDC, but with the passwd >> backend only. You can disable these lines : passwd program = >> /usr/bin/smbpasswd %u passwd chat = *Enter\snew\sUNIX\spassword:* >> %n\n*Retype\snew\sUnix\spassword:* %n\n >> >> On BDC >> >> kent a écrit : >> >>> Have you used the -r option for smbpasswd to connect to the PDC >>> in smb.conf? Just wondering what the password chat would be. I >>> can test it out and see what works. >> >>> Kent N >> >>> Bruno Guerreiro <[EMAIL PROTECTED]> wrote: >> >>>> Hi there, The best (only?) way to go is with a LDAP >>>> Master+slave architecture. All changes must be done at the LDAP >>>> Master server which automatically replicates them to all slave >>>> ldap servers. So, yes, the BDC MUST talk to the PDC, or at >>>> least the master ldap server to change the password. >> >>>> Best Regards. Bruno Guerreiro >> >>>> -Original Message- From: kent >>>> [mailto:[EMAIL PROTECTED] Sent: quarta-feira, 31 de >>>> Agosto de 2005 11:15 To: [EMAIL PROTECTED]; Samba >>>> Subject: Re: [Samba] BDC and password change program >> >> >>>> Hello, How are you doing? I just switched this summer from >>>> RedHat 8.0 with compiled versions of Samba, OpenLDAP and >>>> Berkeley DB to Fedora Core 4 with precompiled Samba, OpenLDAP >>>> and BerkeleyDB. Here is the smb.conf from one school that is a >>>> BDC: [global] workgroup = WarehamPS encrypt passwords = Yes >>>> time offset = 60 time server = Yes # log level = 5 socket >>>> options = TCP_NODELAY TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 >>>> security = user username map = /etc/samba/smbusers logon script >>>> = whs1.bat writable = Yes interfaces = eth0 eth1 directory mask >>>> = 02770 preferred master = yes netbios name = whs1 server >>>> string = Fedora Core 4 SAMBA server passdb backend = >>>> ldapsam:ldap://127.0.0.1 ldap passwd sync = Yes machine >>>> password timeout = 604800 passwd program = /usr/bin/smbpasswd >>>> %u passwd chat = *Enter\snew\sUNIX\spassword:* %n\n >>>> *Retype\snew\sUnix\spassword:* %n\n log file = >>>> /var/log/samba/%m.log debug level = 2 max log size = 50 add >>>> machine script = /usr/sbin/addmachine.sh "%u" logon path = >>>> logon drive = H: lo
RE: [Samba] BDC and password change program
Have you used the -r option for smbpasswd to connect to the PDC in smb.conf? Just wondering what the password chat would be. I can test it out and see what works. Kent N Bruno Guerreiro <[EMAIL PROTECTED]> wrote: > Hi there, > The best (only?) way to go is with a LDAP Master+slave architecture. > All changes must be done at the LDAP Master server which automatically > replicates them to all slave ldap servers. > So, yes, the BDC MUST talk to the PDC, or at least the master ldap server to > change the password. > > Best Regards. > Bruno Guerreiro > > -Original Message- > From: kent [mailto:[EMAIL PROTECTED] > Sent: quarta-feira, 31 de Agosto de 2005 11:15 > To: [EMAIL PROTECTED]; Samba > Subject: Re: [Samba] BDC and password change program > > > Hello, > How are you doing? I just switched this summer from RedHat 8.0 with compiled > versions of Samba, OpenLDAP and Berkeley DB to Fedora Core 4 with > precompiled > Samba, OpenLDAP and BerkeleyDB. Here is the smb.conf from one school that is > a > BDC: > [global] >workgroup = WarehamPS > encrypt passwords = Yes > time offset = 60 > time server = Yes > # log level = 5 > socket options = TCP_NODELAY TCP_NODELAY SO_RCVBUF=8192 > SO_SNDBUF=8192 > security = user > username map = /etc/samba/smbusers > logon script = whs1.bat > writable = Yes > interfaces = eth0 eth1 > directory mask = 02770 > preferred master = yes > netbios name = whs1 > server string = Fedora Core 4 SAMBA server > passdb backend = ldapsam:ldap://127.0.0.1 > ldap passwd sync = Yes > machine password timeout = 604800 > passwd program = /usr/bin/smbpasswd %u >passwd chat = *Enter\snew\sUNIX\spassword:* %n\n > *Retype\snew\sUnix\spassword:* %n\n > log file = /var/log/samba/%m.log > debug level = 2 > max log size = 50 > add machine script = /usr/sbin/addmachine.sh "%u" > logon path = > logon drive = H: > logon home = > domain logons = Yes > os level = 64 > domain master = No > dns proxy = no > admin users = @domain_admins > wins support = no > wins server = 172.16.0.13 > wins proxy = yes > local master = yes > name resolve order = hosts wins bcast > ldap suffix = dc=tow,dc=net > ldap machine suffix = ou=Computers > ldap user suffix = ou=Users > ldap group suffix = ou=Groups > ldap admin dn = cn=admin,dc=tow,dc=net > ldap ssl = no > > [homes] > comment = Home Directories > read only = no > browseable = no > writable = yes > path = %H > # valid users = %S > > [netlogon] > root preexec = /accounts/netlogon/prelogon.pl %U > path = /accounts/netlogon > comment = Netlogon share > locking = no > browseable = yes > valid users = @whsstaff, @whsstudent, @whs-cafe, navinstall, kent > read only = yes > hide files = /.*/*dll/*DLL/*.bat/*.kix/*.rap/*pl/ > write list = @domain_admins > [staff] > comment = Staff directory > path = /accounts/common > create mode = 0660 > browseable = no > write list = @whsstaff > valid users = @whsstaff > [programs] > comment = Applications > path = /accounts/programs > browseable = no > create mode = 0660 > write list = @whsstaff > valid users = @whsstaff > > [cafeteria] > path = /accounts/cafeteria/data > browseable = no > valid users = @whs-cafe, dperry > force group = whs-cafe > create mode = 0660 > directory mode = 0770 > > Here is the smb.conf for the PDC: > [global] > workgroup = WarehamPS > encrypt passwords = Yes > time server = Yes > socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 > security = user > writable = Yes > interfaces = eth0 eth1 > directory mask = 02770 > preferred master = yes > local master = Yes > username map = /etc/samba/smbusers > netbios name = wms1 > server string = Fedora Core 4 SAMBA Server > passdb backend = ldapsam:ldap://172.16.0.24 > ldap passwd sync = Yes > machine password timeout = 604800 > passwd program = /usr/bin/smbpasswd %u >passwd chat = *Enter\snew\sUNIX\spassword:* %n\n
Re: [Samba] BDC and password change program
Hello, How are you doing? I just switched this summer from RedHat 8.0 with compiled versions of Samba, OpenLDAP and Berkeley DB to Fedora Core 4 with precompiled Samba, OpenLDAP and BerkeleyDB. Here is the smb.conf from one school that is a BDC: [global] workgroup = WarehamPS encrypt passwords = Yes time offset = 60 time server = Yes # log level = 5 socket options = TCP_NODELAY TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 security = user username map = /etc/samba/smbusers logon script = whs1.bat writable = Yes interfaces = eth0 eth1 directory mask = 02770 preferred master = yes netbios name = whs1 server string = Fedora Core 4 SAMBA server passdb backend = ldapsam:ldap://127.0.0.1 ldap passwd sync = Yes machine password timeout = 604800 passwd program = /usr/bin/smbpasswd %u passwd chat = *Enter\snew\sUNIX\spassword:* %n\n *Retype\snew\sUnix\spassword:* %n\n log file = /var/log/samba/%m.log debug level = 2 max log size = 50 add machine script = /usr/sbin/addmachine.sh "%u" logon path = logon drive = H: logon home = domain logons = Yes os level = 64 domain master = No dns proxy = no admin users = @domain_admins wins support = no wins server = 172.16.0.13 wins proxy = yes local master = yes name resolve order = hosts wins bcast ldap suffix = dc=tow,dc=net ldap machine suffix = ou=Computers ldap user suffix = ou=Users ldap group suffix = ou=Groups ldap admin dn = cn=admin,dc=tow,dc=net ldap ssl = no [homes] comment = Home Directories read only = no browseable = no writable = yes path = %H # valid users = %S [netlogon] root preexec = /accounts/netlogon/prelogon.pl %U path = /accounts/netlogon comment = Netlogon share locking = no browseable = yes valid users = @whsstaff, @whsstudent, @whs-cafe, navinstall, kent read only = yes hide files = /.*/*dll/*DLL/*.bat/*.kix/*.rap/*pl/ write list = @domain_admins [staff] comment = Staff directory path = /accounts/common create mode = 0660 browseable = no write list = @whsstaff valid users = @whsstaff [programs] comment = Applications path = /accounts/programs browseable = no create mode = 0660 write list = @whsstaff valid users = @whsstaff [cafeteria] path = /accounts/cafeteria/data browseable = no valid users = @whs-cafe, dperry force group = whs-cafe create mode = 0660 directory mode = 0770 Here is the smb.conf for the PDC: [global] workgroup = WarehamPS encrypt passwords = Yes time server = Yes socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 security = user writable = Yes interfaces = eth0 eth1 directory mask = 02770 preferred master = yes local master = Yes username map = /etc/samba/smbusers netbios name = wms1 server string = Fedora Core 4 SAMBA Server passdb backend = ldapsam:ldap://172.16.0.24 ldap passwd sync = Yes machine password timeout = 604800 passwd program = /usr/bin/smbpasswd %u passwd chat = *Enter\snew\sUNIX\spassword:* %n\n *Retype\snew\sUnix\spassword:* %n\n log file = /var/log/samba/%m.log debug level = 2 max log size = 30 # add machine script = /usr/bin/smbpasswd -m %u add machine script = /usr/sbin/addmachine.sh "%u" logon script = wms1.bat logon path = logon drive = H: logon home = domain logons = Yes os level = 255 domain master = Yes dns proxy = Yes admin users = @domain_admins wins support = Yes remote browse sync = 172.16.0.3 172.16.0.19 172.16.0.15 172.16.0.26 172.16.0.20 172.16.80.1 name resolve order = hosts wins bcast ldap suffix = dc=tow,dc=net ldap machine suffix = ou=Computers ldap user suffix = ou=Users ldap group suffix = ou=Groups ldap admin dn = cn=admin,dc=tow,dc=net ldap ssl = no [homes] comment = Home Directories read only = no browseable = no writable = yes path = %H hide files = /.*/ [netlogon] comment = Netlogon share root preexec = /accounts/netlogon/prelogon.pl %U path = /accounts/netlogon valid users = @wmsstaff, @wmsstudent, @domain_users, @wms-cafe, navinstall locking = no browseable = no read only = yes write list = @domain_admins hide files = /*.dll/*.
[Samba] BDC and password change program
Hello, Just wondering what I should be using for the password change program on a BDC. Should it be: passwd program = /usr/bin/smbpasswd -r %u I'm having a problem with passwords not staying in sync between the PDC and BDC with pass backend ldap. The systems are all Fedora Core 4, Samba 3.0.14a, openldap 2.2.23 Kent N -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Re: New maintainer needed for the Linux smb filesystem
On Tue, 23 Aug 2005, Gerald (Jerry) Carter wrote: > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA1 > > Ian Kent wrote: > > On Sun, 21 Aug 2005, Gerald (Jerry) Carter wrote: > > > >>-BEGIN PGP SIGNED MESSAGE- > >>Hash: SHA1 > >> > >>Steven French wrote: > >>| > >>| We are close, but not quite ready to disable smbfs. > >> > >>Steve, > >> > >>I have been itching to work on some kernel code. > >>If you need someone just to keep things afloat, > >>I'd been happy to look into it. There would be some > >>start up time of course. If you would be willing to > >>help me navigate the things other than code, it > >>shouldn't be that big of a deal. > > > > I wouldn't mind helping out here either. Perhaps a joint > > effort Jerry? > > That's fine by me. > > Steve, I'll touch base with on #samba-technical to work out > what to do first. I know we have had a lot of reports > on https://bugzilla.samba.org/ that were originally closed > as invalid since were weren't supporting the kernel smbfs code > at that time. Just spin me round and stop me when I'm pointing in the right direction! I'll see if I can find anything in the kernel bugzilla. Ian -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Re: New maintainer needed for the Linux smb filesystem
On Sun, 21 Aug 2005, Gerald (Jerry) Carter wrote: > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA1 > > Steven French wrote: > | > | We are close, but not quite ready to disable smbfs. > > Steve, > > I have been itching to work on some kernel code. > If you need someone just to keep things afloat, > I'd been happy to look into it. There would be some > start up time of course. If you would be willing to > help me navigate the things other than code, it > shouldn't be that big of a deal. I wouldn't mind helping out here either. Perhaps a joint effort Jerry? Ian -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] samba ignores supplementary groups for acl
Hi, I'm running samba 3.0.14a-3 on Debian sarge (sparc). The filesystem is ext3 with acl support. winbind works fine. Please see below. when I am logged in using ssh, I can list the files in a folder (/var/Share) for which the group "staff" has r-x permissions. The problem is I can't list the folder through samba: $ ssh [EMAIL PROTECTED] Password: Linux cladms003 2.6.8-2-sparc64 #1 Wed Mar 23 04:23:37 EST 2005 sparc64 GNU/Linux Last login: Thu Jul 28 10:13:46 2005 from 172.18.17.237 [EMAIL PROTECTED]:~$ getfacl /var/Share/ getfacl: Removing leading '/' from absolute path names # file: var/Share # owner: root # group: root user::rwx group::r-x group:staff:r-x mask::r-x other::--- default:user::rwx default:group::r-x default:group:staff:r-x default:mask::r-x default:other::--- [EMAIL PROTECTED]:~$ id uid=1(CYBERLAB+kent) gid=1(CYBERLAB+domain users) groups=50(staff),1 (CYBERLAB+domain users),10001(CYBERLAB+staffs) [EMAIL PROTECTED]:~$ ls -l /var/Share/ total 24 drwxr-x---+ 16 root root 4096 2005-07-25 18:14 Applications drwxr-x---+ 11 root root 4096 2005-07-25 21:30 Data drwxr-x---+ 63 root root 4096 2005-07-26 17:37 Packages In a DOS prompt on a Windows 2000 client: C:\>net use f: \\cladms003\Share command completed successfully C:\>dir f: access denied I believe this problem only happens when used with winbind (a domain user whose is in a linux group). If I set security to user and access the share as linux user "kent" who is in the "staff" group (but not primary group), then it will work. Thanks for any info! -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Re: wbinfo can't list users
Gerald (Jerry) Carter samba.org> writes: > You've got Windows 2000 SP4 SR1 installed don't you? > The only current fix is to either set 'client schannel = no' > in smb.conf or to just disable schannel connections > oln the SAMR pipe in nsswitch/winbindd_cm.c. Hi Jerry, Thanks a lot! This fix works! -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] wbinfo can't list users
Hi, I'm running debian sarge with kernel 2.6.8-2-sparc64. I'm trying to use winbind to connect to a Windows 2000 server. I can use "net rpc join" to join the domain, but "wbinfo -u" returns an error. The trusted domains listed doesn't include the domain. Please see below: cladms003:~# net rpc join -U Administrator Password: Joined domain CYBERLAB. cladms003:~# wbinfo -u Error looking up domain users cladms003:~# wbinfo -g BUILTIN+system operators BUILTIN+replicators BUILTIN+guests BUILTIN+power users BUILTIN+print operators BUILTIN+administrators BUILTIN+account operators BUILTIN+backup operators BUILTIN+users cladms003:~# wbinfo -m CLADMS003 BUILTIN Debug level 3 gives the following info when I try wbinfo after starting winbindd: cladms003:~# winbindd -d 3 -i winbindd version 3.0.14a-Debian started. Copyright The Samba Team 2000-2004 lp_load: refreshing parameters Initialising global parameters params.c:pm_process() - Processing configuration file "/etc/samba/smb.conf" Processing section "[global]" Processing section "[homes]" Processing section "[printers]" Processing section "[print$]" Processing section "[Share]" adding IPC service adding IPC service added interface ip=172.18.17.2 bcast=172.18.17.255 nmask=255.255.255.0 added interface ip=172.18.17.2 bcast=172.18.17.255 nmask=255.255.255.0 Registered MSG_REQ_POOL_USAGE Registered MSG_REQ_DMALLOC_MARK and LOG_CHANGED Added domain CYBERLAB S-0-0 cm_get_ipc_userpass: No auth-user defined lsa_io_sec_qos: length c does not match size 8 add_trusted_domain: CYBERLAB is an ADS mixed mode domain rpc: trusted_domains cm_get_ipc_userpass: No auth-user defined Added domain BUILTIN S-1-5-32 Added domain CLADMS003 S-1-5-21-3711304764-3117404737-3876783093 rpc: trusted_domains [ 5044]: request interface version [ 5044]: request location of privileged pipe [ 5044]: list users cm_get_ipc_userpass: No auth-user defined The debug level 5 output shows an error of NT_STATUS_INSUFFICIENT_RESOURCES near the end (I can provide the full log on request): ...skipped... rpc_api_pipe: len left: 0 smbtrans read: 96 rpc_auth_pipe: pkt_type: 2 len: 96 auth_len: 32 NTLMSSP No schannel Yes sign Yes seal No 00 smb_io_rpc_hdr_auth auth_hdr auth_type: 44 0001 auth_level : 05 0002 padding : 08 0003 reserved : 00 0004 auth_context : 0001 08 smb_io_rpc_auth_netsec_chk schannel_auth_sign 0008 sig : 77 00 ff ff ff ff 00 00 0010 seq_num: 76 68 2a 4b f3 e0 bc ff 0018 packet_digest: 6c ff 52 eb 48 5c 57 50 0020 confounder: 00 00 00 00 00 00 00 00 18 samr_io_r_connect 0018 data1: 001c data2: 0020 data3: 0022 data4: 0024 data5: 00 00 00 00 00 00 00 00 002c status: NT_STATUS_INSUFFICIENT_RESOURCES -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Accounts disabled moving from v 3.00 3.0.14
Hello, 1. Just having a problem when moving from version 3.0.0 RedHat8 to FDC4 v 3.0.14. I realize there are some attributes new to the schema in 3.0.14 but when a user attempts to login, a "D" is placed in the account flags. How can I get around this without having to run smbpasswd -e? I have many users in my LDAP directory and don't want to enable accounts one at a time. What entry needs to be in LDAP for Samba so that a user must change password on first login? Will putting sambaPwdMustChange as a date in the past do this? Kent N -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Fedora core 2 domain trust account fails
I haven't read them but I will, thanks. Kent Misty Stanley-Jones <[EMAIL PROTECTED]> wrote: > On Tuesday 01 March 2005 11:30 am, kent wrote: > > Hello, > > Having a problem with trust accounts failing after creation. The following > > is the system that I'm running Samba on: > > > > Fedora Core 2 > > (compiled from source) > > Samba 3.0.11 > > OpenLDAP 2.2.23 > > BerkeleyDB 4.3.27 > > If you read the release notes for 3.0.12pre1 you will see there is a bug with > interdomain trusts in 3.0.11. Nobody ever told me that even though I have > asked repeated on the mailing list. I wlll save you the time I wasted and > let you know. > > Misty > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/listinfo/samba > -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Fedora core 2 domain trust account fails
Hello, Having a problem with trust accounts failing after creation. The following is the system that I'm running Samba on: Fedora Core 2 (compiled from source) Samba 3.0.11 OpenLDAP 2.2.23 BerkeleyDB 4.3.27 Windows 2000 client machine I have a script to add machine trust accounts to LDAP. The first part adds a posix Account and attributes to LDAP, the second uses smbpasswd to add the Samba account and attributes. I use PAM to point to the LDAP directory for user, group info and authentication. This method has worked on Samba 3.0.0 with ldap 2.1.30 backend systems fine. I add the account using root, the account is created in LDAP, and I get a "Welcome to blah blah domain" message. After I reboot and attempt to login, I get a trust account failure error message. I compared the sid for the domain and the machine account and they are identical. The only password that is created is sambaNTPassword. The following are attributes that are found in LDAP after account creation: [EMAIL PROTECTED] root]# ldapsearch -xv -b "ou=computers,dc=tow,dc=net" uid=wms-0106$ldap_initialize( ) filter: uid=wms-0106$ requesting: ALL # extended LDIF # # LDAPv3 # base with scope sub # filter: uid=wms-0106$ # requesting: ALL # # wms-0106$, Computers, tow.net dn: uid=wms-0106$,ou=Computers,dc=tow,dc=net objectClass: inetOrgPerson objectClass: posixAccount objectClass: sambaSamAccount uid: wms-0106$ cn: wms-0106$ sn: wms-0106$ uidNumber: 8049 gidNumber: 502 homeDirectory: /dev/null description: Computer loginShell: /bin/false sambaSID: S-1-5-21-1129281578-1295143107-3311307472-17098 sambaPrimaryGroupSID: S-1-5-21-1129281578-1295143107-3311307472-515 displayName: wms-0106$ sambaPwdCanChange: 1109349002 sambaPwdMustChange: 2147483647 sambaNTPassword: 6B92BAAA9FAD3E498BF4665F0B42BF95 sambaPwdLastSet: 1109349002 sambaAcctFlags: [W ] # search result search: 2 result: 0 Success Any suggestions? Kent L. Nasveschuk Wareham Public Schools -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] sambaPwdMustChange
Another time converter is a perl script amtime.pl that can be used in shell scripts to convert back and forth between seconds and human readable time. http://www.unixreview.com/documents/s=1344/ur0307g/ur0307g_script.htm Kent N > Patrick, > > This number is a timestamp. To figure out what day it means paste it in > this > url > http://www.4webhelp.net/us/timestamp.php?action=stamp&stamp=&timezone=0 > > To set an account to never expire it´s password you have to set > sambaacctflags to [UX] > > Regards, > > Gustavo > > > - Original Message - > From: "Patrick DUBAU" <[EMAIL PROTECTED]> > To: > Sent: Monday, January 17, 2005 1:14 PM > Subject: [Samba] sambaPwdMustChange > > >> Hi, >> >> i have samba 3.0.10 installed with LDAP. >> I noticed few days ago that my adminsitrator account has expired. I >> think >> it's because of the sambaPwdMustChange field of LDAP. I changed the >> passwd >> now i have the value 1108741705 in it. What does it mean (when will i be >> prompted again to change my passwd) and do i have to put in this field >> so >> that the password will never expire ? >> >> Thanks for any help >> >> -- >> To unsubscribe from this list go to the following URL and read the >> instructions: https://lists.samba.org/mailman/listinfo/samba >> > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/listinfo/samba > -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
RE: [Samba] Cannot enable "Enable advanced printing features"
Hi, Well, I'm no expert - but if I connect the Windows clients directly to the CUPS-backend of the Samba-server, there's no problem enabling the "advanced features" and using them... Samba should just pass the binary print-dump-file from the Windows clients on to CUPS - I can se no reason why Samba needs to execute anything? The same clients, the same server, the same configuration - if works if I points the clients towards cups (http://192.168.0.10:631/printers/myprinter) but not if I use Samba (\\192.168.0.10\myprinter). It must be Samba that explicit disallows the use of the "Enable advanced printing features", which I cannot see why, since it works thru cups on the same server... Regards, Kent B. Hansen -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Manuel Capinha Hey. I've just been bitten by the same problem recently. What happens is that when you click on the "Enable advanced printer features" option on windows, what it does is enable EMF support. EMF works by letting the printer driver embbed some printer commands that will be executed by the print server. For this to work, the print server must be running on Windows, since cups+samba don't do EMF (and from what i've gathered this will _never_ work). I'm currently investigating if there's some other way to achieve the n-pages-to-1 print option under the cups+samba combo... this will have to go through some sort of filter on the cups backend but all of this is still a sketch in my head.. Hope this helps. On Tue, 28 Sep 2004 11:22:20 +0200, Pierre Dinh-van <[EMAIL PROTECTED]> wrote: > Le mardi 28 Septembre 2004 11:15, Kent B. Hansen a écrit : > > Hi all. > > Hi > > > I'm trying to use Samba to replace an old Windows print server, and > > everything works just like a charm - almost... > > > > There's one thing, which prevents my organization from accepting this new > > printerserver, and that is that I'm unable to activate and save the "Enable > > advanced printing features" setting for the printers - this is used to > > allow for printing multiple pages onto one page etc. Samba doesn't give any > > errors, the settings is just cleared the next time I open the > > preferences... > > I have the same problem with a Xerox DocuColor 1632. When the driver is > downloaded by the client from the print$ share, I can't activate the finition > module of the printer. > If I install the printer driver locally "by hand", it works... > I'm still looking for a solution... > > > I'm using cups for the backend, and all printers are configured as raw > > queues. The click'n'print feature are working nicely, and I can change and > > save all other settings beside this crusual "advanced features" setting (so > > it doesn't seem like a persission problem). > > Same configuration... > > I hope someone can help us :-) > > Pierre Dinh-van > > -- > --- Racisme --- > Le casse-tête de Toubon : comment pondre une loi anti-raciste qui > n'envoie pas Debré en prison ? > +-- Brèves Charlie Hebdo n°223 (25/09/96) --+ > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: http://lists.samba.org/mailman/listinfo/samba > -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] Cannot enable "Enable advanced printing features"
Hi all. I'm trying to use Samba to replace an old Windows print server, and everything works just like a charm - almost... There's one thing, which prevents my organization from accepting this new printerserver, and that is that I'm unable to activate and save the "Enable advanced printing features" setting for the printers - this is used to allow for printing multiple pages onto one page etc. Samba doesn't give any errors, the settings is just cleared the next time I open the preferences... :-( I'm using cups for the backend, and all printers are configured as raw queues. The click'n'print feature are working nicely, and I can change and save all other settings beside this crusual "advanced features" setting (so it doesn't seem like a persission problem). My collegues are killing me, and want to reinstall Windows - so please help me out, if you can! ;) Regards, Kent B. Hansen -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] login scripts do not run
Mayebe I should have explained more of what is encrypted. Below is an example of what is encrypted: 5B1CC95BAF6B10DD09D42ADE1A14D8D27134E31B1FBD6BDBB90993FC9D284C730E53ABC70C7ACC4C661CE4BD6E00F8C372A3B9A2A18C142AE0D1CB23B8870C772045D1FDA1D3B13729D75B66D97FB1360B1599735F2E2FBA2B3723C10F2A81A79BD4D7B89AF2684B8D245597F89D71962786FFE9069D1D93CD8EC895C1084440D7ADE53C9A4584A0DCCDAAB86433934767E9D72A3E48ABF02B870C9BB1A657114FE340972054C578602DB4A032ED0FFFD1B83149FDBBB73A34941D13626B84DA That contains the username, password, path to command to run, domain, and an option for a directory to start in. It is used like this: rurasp.exe somefile.rap where the contents of somefile.rap is the string of characters above. Does that help? Denis Vlasenko <[EMAIL PROTECTED]> wrote: > On Thursday 23 September 2004 20:18, kent wrote: > > Hello, > > We have been successfully using RUNASP.exe > > (http://www.mast-computer.com/c_9-s_7-l_en.html). You have to pay for licensing > > however. We use it for everything, running programs, udate Norton AV. Password > > is encrypted. Is very simple to use. > > If this script is runnable by the user then user can see that > encrypted password and use it to launch some malicious code > instead using this tool with admin rights. > > Correct me if im wrong. > -- > vda > > -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Upgrade Novell 4.11 to Samba 3.0.7 wisdom needed
Hello,
I ran into this problem in the past but have since resolved group issues.
First of all I am currently using:
RedHat 8.0
OpenLDAP 2.1.30
Berkeley DB 4.2.52 LDAP backend
Samba 3.0.0
(1) PDC (5) BDC many, (1) master OpenLDAP (6) slave OpenLDAP
These reside in different buildings around town.
All groups and users exist in the LDAP directory, there are only a few local
user accounts. I used authconfig to move authentication to LDAP where each
server has a copy of the directory. You should also add a line to system-auth:
account sufficient/lib/security/pam_localuser.so
This allows logon to a local account in the event LDAP is down.
In smb.conf in the netlogon share I have:
[netlogon]
comment = Netlogon share
root preexec = /usr/local/samba/netlogon/prelogon.pl %U
path = /usr/local/samba/netlogon
locking = no
browseable = no
read only = yes
hide files = /*.dll/*.rap/*.kix/*.bat/*.pl/
The prelogon.pl creates individual batch files for the user based on group
membership. Here is some of prelogon.pl:
#!/usr/bin/perl
$user = $ARGV[0];
$groups = `/usr/bin/groups $user`;
chomp $groups;
open (LOGON,">/usr/local/samba/netlogon/$user.bat");
#
# Cafeteria maps
#
if ($groups =~ m/whs-cafe/ ) {
print LOGON "net use q: whs1\\cafeteria /yes\r\n";
}
f ($groups =~ m/whsstaff/ ) {
print LOGON "net use s: whs1\\staff /yes\r\n";
print LOGON "net use p: whs1\\common /yes\r\n";
}
close (LOGON);
The first part of the logon process calls either an assigned script that is in
LDAP or the default that is in smb.conf. Here is the default whs1.bat:
net time \\whs1 /set /y
rem \\whs1\pca\PCAnalyser.exe /ignore all
NNN0XX1PNN535495%apppath%\netdiscover\%computername%.pca
net use H: /HOME /yes
net use x: \\whs1\netlogon
net use p: \\whs1\programs
x:
x:\wkix32.exe whs1.kix
This calls a kixtart script processor script whs1.kix that does stuff based on
OS:
CLS
x:
CD \
If @PRODUCTTYPE = "Windows 95"
Shell "w9x.bat"
Shell "@USERID.bat"
EndIf
If @PRODUCTTYPE = "Windows 98"
Shell "w9x.bat"
Shell "@USERID.bat"
EndIf
If @PRODUCTTYPE = "Windows 2000 Professional"
Shell "@USERID.bat"
Shell "\\whs1\netlogon\runasp.exe whs1xp.rap"
EndIf
If @PRODUCTTYPE = "Windows XP Home Edition"
Shell "@USERID.bat"
Shell "\\whs1\netlogon\runasp.exe whs1xp.rap"
EndIf
If @PRODUCTTYPE = "Windows XP Professional"
Shell "@USERID.bat"
Shell "\\whs1\netlogon\runasp.exe whs1xp.rap"
EndIf
EXIT
The USERID.bat was the batch file created by prelogon.pl. The additional batch
file and runasp.exe are used to update virus definitions.
Since everything is located in the netlogon directory I sync these at night
with rsync. If a person from one building logons into the system in another
building they get the correct drive mappings based on group membership. Their
logon script exists in LDAP and group membership used by prelogon.pl comes
from LDAP which is common to all servers.
Hope this helps.
Kent N
[EMAIL PROTECTED] wrote:
> On 21 Sep 2004 , Misty Stanley-Jones entreated about
> "[Samba] Upgrade Novell 4.11 to Samba 3.0.7 wisdom":
>
> } Has anybody done such a thing as this? I'm looking to make this
> } transition as smooth as possible. I have the new fileserver up and
>
> I'm busy replacing a Netware 3.12 box with FreeBSD 5.2.1 and
> Samba 3.0.7
>
> } running, and I'm using rsync to keep the Novell data current on the
>
> 3.12 won't do fancy stuff like that, and when I tried to use
> mount_nwfs I rather successfully locked up the BSD box completely.
> through several tries with different configs. so I'll be
> transferring data via a PC with mappings to both systems...
>
> } Samba server. Any words of advice on transferring the users and groups
> } and permissions over to the new server in the least painful way
> } possible? I have some idea that Novell uses LDAP so that I should be
>
> My system needs a makeover so I'm not transferring so much as re-
> engineering, so can't help you much. I'm creating new groups to
> mirror some of the existing Novell groups, dropping some, and adding
> others. My big hurdle at the moment is figuring a way round the
> sheer versatility I had on the Novell box
> ie, have a volume named 'graf'
> a folder on that is assigned to software pacakge X users
> another folder is assigned to software package Y users
> drive mappings to the relevant folder are done via group membership.
Re: [Samba] Upgrade Novell 4.11 to Samba 3.0.7 wisdom needed
Hello, I didn't think that Novell 4.11 used LDAP but could be wrong. Later versions use LDAP with their schema extensions. I went from Novell 5.1 to Samba 3.0.0. I moved users a little at a time removing the Novell client from client machines and reconfiguring networking. Since I am with a school system the HS students are dumped at the end of the year and accounts recreated in the fall. It was a difficult process but I feel worth it. Kent N Misty Stanley-Jones <[EMAIL PROTECTED]> wrote: > Has anybody done such a thing as this? I'm looking to make this transition as > smooth as possible. I have the new fileserver up and running, and I'm using > rsync to keep the Novell data current on the Samba server. Any words of > advice on transferring the users and groups and permissions over to the new > server in the least painful way possible? I have some idea that Novell uses > LDAP so that I should be able do it somehow. I don't want to screw this > upgrade up, and any help would be appreciated. I am hoping someone has > already done it before and has written a Howto or something about it. > > Thanks, > Misty > -- > To unsubscribe from this list go to the following URL and read the > instructions: http://lists.samba.org/mailman/listinfo/samba > -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] Reset machine trust account passwords
Can I use rpcclient to reset workstation trust account passwords or how can I reset trust account passwords without rejoining them to the domain? Kent N -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
RE: [Samba] Samba+LDAP - so close yet so far:) ...STILL NOTSOLVED
Yes, running RH 8, samba 3.0.0, openldap 2.1.30, Berkeley DB 4.2.52. Seems to work fine. ldap suffix = dc=tow,dc=net ldap machine suffix = ou=Computers ldap user suffix = ou=Users ldap group suffix = ou=Groups ldap admin dn = cn=admin,dc=tow,dc=net Kent N > Hi, > >ldap admin dn = cn=root,dc=juwimm,dc=local >ldap suffix = ou=juwidc01,dc=juwimm,dc=local >ldap user suffix = ou=users >ldap group suffix = ou=groups >ldap machine suffix = ou=machines > > Works well with samba 3.0.2a on a suse 9.0 machine > >> Is there anyone succes with place Users and Computers in >> different ou's ? >> >> regards >> reza > > > -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] Samba upgrade
I noticed v 3.05 came out with some security fixes. I'm still using v 3.0.0 and it seems to work just fine. I've never done an upgrade on Samba which I'd like to do by the end of the summer. I've already upgraded the backend support, OpenLDAP and Berkeley DB. What do I need to backup before compiling and installing a new version besides smb.conf? All my accounts are in LDAP. Kent N -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] posixAccount for Machines in LDAP?
John, I have everything running finally. Of course this is always in a state of evolution as I'm sure you know. I posted a question about objectclasses that are required to make machine accounts available if they reside entirely in the LDAP directory. The perl scripts from IDEALX, seem to include inetOrgPerson as an objectclass when using smbldap-useradd.pl for machine accounts. I wanted to know if inetOrgPerson is necessary and if I could adjust the perl scripts to include just: sambaSAMAccount posixAccount Everything in /etc/passwd has been migrated to LDAP with exception of system accounts (root,sys,nobody,etc), thanks to PAM_LDAP and NSS_LDAP. I have to say that this is marvelous software. You guys do an excellent job revising, advising and the support list server is without a doubt the best tech support money can't buy. Thanks for you help. Kent N Wareham Public Schools > Kent, > > You may find value from reading chapter 6 of the book "Samba-3 by Example" > that is available from Amazon.Com. This book is also available > electronically > from http://www.samba.org/samba/docs/Samba-Guide.pdf. The advantage of the > book is that it comes with a CDROM that has all the example config files > that > might help you get this resolved faster. > > In any case, if the examples and documentation in this book do NOT solve > your > problem please let me know so I can update it. > > Cheers, > John T. > > On Wednesday 14 July 2004 07:25, [EMAIL PROTECTED] wrote: >> Hi Paul, >> I'm getting a user not found after I made the changes. That's what I >> used >> to get when I didn't add the machine account to /etc/passwd first. >> >> The good news is that I removed a machine account from /etc/passwd and >> added it to LDAP to the existing account that was created with smbpasswd >> (added posixAccount and attributes). This worked fine. All of the >> posixAccount information need only be in LDAP. I will migrate my >> existing >> machine account info from /etc/passwd to their respective accounts in >> LDAP. Just seems that smbldap_useradd.pl is not able to add the account >> information to LDAP on the fly. >> >> Just curious, do you have a working system that does just that, where if >> you add a machine by joining it to the domain, smbldap_useradd.pl >> creates >> the posixAccount and sambaSAMAccount in LDAP? >> >> I'll continue to tinker with it. If you have any other suggestions, let >> me >> know. I'm very close. >> >> > Changes below: >> > >> > [EMAIL PROTECTED] wrote: >> >>Thanks for getting back to me, Paul. >> >>Here's the domain controllers smb.conf >> >> >> >> >> >>[global] >> >>workgroup = WarehamPS >> >> encrypt passwords = Yes >> >> time server = Yes >> >> socket options = TCP_NODELAY >> >> security = user >> >> logon script = whs1.bat >> >> writable = Yes >> >> dns proxy = no >> >> directory mask = 02770 >> >> preferred master = yes >> >>netbios name = WHS1 >> >>server string = RedHat 8.0 LDAP Server >> >>passdb backend = ldapsam >> >>ldap passwd sync = Yes >> >> machine password timeout = 604800 >> >>passwd program = /usr/local/samba/bin/smbpasswd %u >> >> passwd chat = *Enter\snew\sUNIX\spassword:* %n\n >> >>*Retype\snew\sUnix\spassword:* %n\n >> >>log file = /var/log/samba.%m >> >>debug level = 2 >> >>max log size = 50 >> >>add user script = /usr/local/sbin/smbldap-useradd.pl %u >> >>delete user script = /usr/local/sbin/smbldap-useradd.pl %u >> >>add group script = /usr/local/sbin/smbldap-groupadd.pl >> >>delete group script = /usr/local/sbin/smbldap-groupdel.pl >> >>add machine script = /usr/sbin/useradd -c "Computer" -d >> /dev/null >> >>-s /bin/false -g 502 -M %u; /usr/local/samba/bin/smbpasswd -a -m >> >>%u >> > >> > Change these scripts to be liks so: >> > >> > add user script = /usr/sbin/smbldap-useradd -a -m "%u" >> > delete user script = /usr/sbin/smbldap-userdel "%u" >> > add group script = /usr/sbin/smbldap-groupadd "%g" >> > delete group script = /usr/sbin/smbldap-groupdel "%g" >> > add user to group script = /usr/sbin/smbldap-groupmod -m "%u" "%g" >>
[Samba] objectclasses required for Samba 3
Hello, I'm using smbldap-useradd.pl from IDEALX to add machine accounts to the LDAP directory for Samba. Works good, have a question though. The objectclasses generated by add machine script are: posixAccount sambaSAMAccount inetOrgPerson inetOrgPerson seems as though it is not needed. Am I right? Suggestions on removing from the smbldap-useradd.pl?? smbpasswd by itself will generate: sambaSAMAccount account Currently all, users for Samba and Posix are located in the LDAP directory. I don't want to add unnecessary objectclasses to an entry that are never going to be used. Kent N Wareham Public Schools -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Fwd: Re: [Samba] posixAccount for Machines in LDAP?]
Original Message Subject: Re: [Samba] posixAccount for Machines in LDAP? From:[EMAIL PROTECTED] Date:Wed, July 14, 2004 12:19 pm To: "Paul Gienger" <[EMAIL PROTECTED]> -- Hi Paul, Finally got it to work. This is great!! I had 2 problems. First the script paths were wrong, second neither the smbldap_conf.pm nor smbldap-useradd.pl would pass perl -c syntax check. I should have checked that first. I was tinkering with the perl scripts because I don't use profiles and wanted to delete these from being created. One more thing to do is to get the smb.conf and perl scripts straightened out on the BDCs so everything is the same. Thank you for your support! Kent N > [EMAIL PROTECTED] wrote: > >>Hi Paul, >>I'm getting a user not found after I made the changes. That's what I used to get when I didn't add the machine account to /etc/passwd first. >> >> > Ok, so now the question is this, when you try to join, are you giving it the root user or root equivilent (uid=0) account? Is it making the posix account but not modifying it with sambaSAM information? You are sure that everything is using ou=People (or whatever users container you're using)? I use the root account. When I started this quest I tried to get a root equivalent account to work and couldn't. I may revisit this now that I've overcome other obstacles. I tried keeping the users separate from the computers in smb.conf. This seems to work. It may have been a bug but seems to work for me. ?? Machines go under ou=Computers,dc=tow.net and users under ou=users,dc=tow,net. > >>Just curious, do you have a working system that does just that, where if you add a machine by joining it to the domain, smbldap_useradd.pl creates the posixAccount and sambaSAMAccount in LDAP? >> >> > I *did* when I was migration testing for samba3 but now my test box has been scrapped for a Sun trade in. I need to rebuild it before I go live with S3 (still on 2.2.8 here sadly) so I'll be building entirely from scratch again, hopefully this week if other projects get taken care of. I've done a pile of testing in my setup to get it to work with our remote LDAP master and local and/or distributed DC boxes. There were some timing issues there if replication didn't happen quick enough, a real PITA. > >>I'll continue to tinker with it. If you have any other suggestions, let >> me >>know. I'm very close. >> >> >> >>>Changes below: >>> >>>[EMAIL PROTECTED] wrote: >>> >>> >>> >>>>Thanks for getting back to me, Paul. >>>>Here's the domain controllers smb.conf >>>> >>>> >>>>[global] >>>> workgroup = WarehamPS >>>>encrypt passwords = Yes >>>>time server = Yes >>>>socket options = TCP_NODELAY >>>>security = user >>>>logon script = whs1.bat >>>>writable = Yes >>>>dns proxy = no >>>>directory mask = 02770 >>>>preferred master = yes >>>> netbios name = WHS1 >>>> server string = RedHat 8.0 LDAP Server >>>> passdb backend = ldapsam >>>> ldap passwd sync = Yes >>>>machine password timeout = 604800 >>>> passwd program = /usr/local/samba/bin/smbpasswd %u >>>> passwd chat = *Enter\snew\sUNIX\spassword:* %n\n >>>>*Retype\snew\sUnix\spassword:* %n\n >>>> log file = /var/log/samba.%m >>>> debug level = 2 >>>> max log size = 50 >>>> add user script = /usr/local/sbin/smbldap-useradd.pl %u delete user script = /usr/local/sbin/smbldap-useradd.pl %u add group script = /usr/local/sbin/smbldap-groupadd.pl >>>> delete group script = /usr/local/sbin/smbldap-groupdel.pl add machine script = /usr/sbin/useradd -c "Computer" -d >>>> /dev/null >>>>-s /bin/false -g 502 -M %u; /usr/local/samba/bin/smbpasswd -a -m %u >>>> >>>> >>>> >>>> >>>Change these scripts to be liks so: >>> >>>add user script = /usr/sbin/smbldap-useradd -a -m "%u" >>>delete user script = /usr/sbin/smbldap-userdel "%u" >>>add group script = /usr/sbin/smbldap-groupadd "%g" >>>delete group script = /usr/sbin/smbldap-groupdel "%g" >>>add user to group script = /usr/sbin/smbldap-groupmod -m "%u" "%g" delete user from group script = /usr/sbin/s
Re: [Samba] posixAccount for Machines in LDAP?
Hi Paul, I'm getting a user not found after I made the changes. That's what I used to get when I didn't add the machine account to /etc/passwd first. The good news is that I removed a machine account from /etc/passwd and added it to LDAP to the existing account that was created with smbpasswd (added posixAccount and attributes). This worked fine. All of the posixAccount information need only be in LDAP. I will migrate my existing machine account info from /etc/passwd to their respective accounts in LDAP. Just seems that smbldap_useradd.pl is not able to add the account information to LDAP on the fly. Just curious, do you have a working system that does just that, where if you add a machine by joining it to the domain, smbldap_useradd.pl creates the posixAccount and sambaSAMAccount in LDAP? I'll continue to tinker with it. If you have any other suggestions, let me know. I'm very close. > Changes below: > > [EMAIL PROTECTED] wrote: > >>Thanks for getting back to me, Paul. >>Here's the domain controllers smb.conf >> >> >>[global] >>workgroup = WarehamPS >> encrypt passwords = Yes >> time server = Yes >> socket options = TCP_NODELAY >> security = user >> logon script = whs1.bat >> writable = Yes >> dns proxy = no >> directory mask = 02770 >> preferred master = yes >>netbios name = WHS1 >>server string = RedHat 8.0 LDAP Server >>passdb backend = ldapsam >>ldap passwd sync = Yes >> machine password timeout = 604800 >>passwd program = /usr/local/samba/bin/smbpasswd %u >> passwd chat = *Enter\snew\sUNIX\spassword:* %n\n >>*Retype\snew\sUnix\spassword:* %n\n >>log file = /var/log/samba.%m >>debug level = 2 >>max log size = 50 >>add user script = /usr/local/sbin/smbldap-useradd.pl %u >>delete user script = /usr/local/sbin/smbldap-useradd.pl %u >>add group script = /usr/local/sbin/smbldap-groupadd.pl >>delete group script = /usr/local/sbin/smbldap-groupdel.pl >>add machine script = /usr/sbin/useradd -c "Computer" -d /dev/null >>-s /bin/false -g 502 -M %u; /usr/local/samba/bin/smbpasswd -a -m >>%u >> >> > Change these scripts to be liks so: > > add user script = /usr/sbin/smbldap-useradd -a -m "%u" > delete user script = /usr/sbin/smbldap-userdel "%u" > add group script = /usr/sbin/smbldap-groupadd "%g" > delete group script = /usr/sbin/smbldap-groupdel "%g" > add user to group script = /usr/sbin/smbldap-groupmod -m "%u" "%g" > delete user from group script = /usr/sbin/smbldap-groupmod -x "%u" "%g" > set primary group script = /usr/sbin/smbldap-usermod -g "%g" "%u" > add machine script = /usr/sbin/smbldap-useradd -w "%u" > > make sure the paths line up of course. The quotes are important in case > you get spaces in the parameters. > >>logon script = whs1.bat >> logon path = >>logon drive = H: >> logon home = >>domain logons = Yes >>os level = 64 >>domain master = Yes >>dns proxy = Yes >> admin users = @domain_admins >> wins support = Yes >> name resolve order = wins hosts bcast >>ldap suffix = dc=tow,dc=net >>ldap machine suffix = ou=Computers >> >> > Make ldap machine suffix match ldap user suffix. Known bug. > >>ldap user suffix = ou=Users >>ldap group suffix = ou=Groups >>ldap admin dn = cn=admin,dc=tow,dc=net >>ldap ssl = no >> >> > > > Of course, make sure your smbldap config file matches the above LDAP dn > information for users, computers. Check back after trying it out. > > Paul > >>Kent >>Wareham Public Schools >> >> >> >>>[EMAIL PROTECTED] wrote: >>> >>> >>> >>>>Hello, >>>>I have a question about machine accounts. >>>>I using Samba 3.0, OpenLDAP 2.1.30 and Berkeley 4.2.52 on backend on >>>>RedHat machines. >>>>I also have 3 slave/BDC's and 1 master/PDC >>>> >>>>Right now all of my users and groups exist entirely in the LDAP >>>>directory. >>>>I have a few accounts in addition to the normal system accounts that >>>> are >>>>used for emergency access. All authention and group enumeration uses >>>>PAM_LDAP with NSS_LDAP. >>>> >>>
Re: [Samba] posixAccount for Machines in LDAP?
Thanks, I'll give this a try tomorrow and let you know how things go. I really appreciate your help. This is the last major hurdle that I can see. Kent N > Changes below: > > [EMAIL PROTECTED] wrote: > >>Thanks for getting back to me, Paul. >>Here's the domain controllers smb.conf >> >> >>[global] >>workgroup = WarehamPS >> encrypt passwords = Yes >> time server = Yes >> socket options = TCP_NODELAY >> security = user >> logon script = whs1.bat >> writable = Yes >> dns proxy = no >> directory mask = 02770 >> preferred master = yes >>netbios name = WHS1 >>server string = RedHat 8.0 LDAP Server >>passdb backend = ldapsam >>ldap passwd sync = Yes >> machine password timeout = 604800 >>passwd program = /usr/local/samba/bin/smbpasswd %u >> passwd chat = *Enter\snew\sUNIX\spassword:* %n\n >>*Retype\snew\sUnix\spassword:* %n\n >>log file = /var/log/samba.%m >>debug level = 2 >>max log size = 50 >>add user script = /usr/local/sbin/smbldap-useradd.pl %u >>delete user script = /usr/local/sbin/smbldap-useradd.pl %u >>add group script = /usr/local/sbin/smbldap-groupadd.pl >>delete group script = /usr/local/sbin/smbldap-groupdel.pl >>add machine script = /usr/sbin/useradd -c "Computer" -d /dev/null >>-s /bin/false -g 502 -M %u; /usr/local/samba/bin/smbpasswd -a -m >>%u >> >> > Change these scripts to be liks so: > > add user script = /usr/sbin/smbldap-useradd -a -m "%u" > delete user script = /usr/sbin/smbldap-userdel "%u" > add group script = /usr/sbin/smbldap-groupadd "%g" > delete group script = /usr/sbin/smbldap-groupdel "%g" > add user to group script = /usr/sbin/smbldap-groupmod -m "%u" "%g" > delete user from group script = /usr/sbin/smbldap-groupmod -x "%u" "%g" > set primary group script = /usr/sbin/smbldap-usermod -g "%g" "%u" > add machine script = /usr/sbin/smbldap-useradd -w "%u" > > make sure the paths line up of course. The quotes are important in case > you get spaces in the parameters. > >>logon script = whs1.bat >> logon path = >>logon drive = H: >> logon home = >>domain logons = Yes >>os level = 64 >>domain master = Yes >>dns proxy = Yes >> admin users = @domain_admins >> wins support = Yes >> name resolve order = wins hosts bcast >>ldap suffix = dc=tow,dc=net >>ldap machine suffix = ou=Computers >> >> > Make ldap machine suffix match ldap user suffix. Known bug. > >>ldap user suffix = ou=Users >>ldap group suffix = ou=Groups >>ldap admin dn = cn=admin,dc=tow,dc=net >>ldap ssl = no >> >> > > > Of course, make sure your smbldap config file matches the above LDAP dn > information for users, computers. Check back after trying it out. > > Paul > >>Kent >>Wareham Public Schools >> >> >> >>>[EMAIL PROTECTED] wrote: >>> >>> >>> >>>>Hello, >>>>I have a question about machine accounts. >>>>I using Samba 3.0, OpenLDAP 2.1.30 and Berkeley 4.2.52 on backend on >>>>RedHat machines. >>>>I also have 3 slave/BDC's and 1 master/PDC >>>> >>>>Right now all of my users and groups exist entirely in the LDAP >>>>directory. >>>>I have a few accounts in addition to the normal system accounts that >>>> are >>>>used for emergency access. All authention and group enumeration uses >>>>PAM_LDAP with NSS_LDAP. >>>> >>>>My question is that when I have a machine join the domain, in the LDAP >>>>directory an objectclass Account and sambaSAMAccount are created. I >>>> still >>>>need to create a machine account in /etc/passwd for this to happen. Is >>>>there anyone out there that is first creating a posixAccount with >>>>appropriate attributes in LDAP then using the Samba/Windows to generate >>>>the sambaSAMAccount object and attributes in LDAP also? >>>> >>>> >>>> >>>> >>>You shouldn't need anything in /etc/passwd. Perhaps by posting an >>>smb.conf you could be pointed in the right direction. >>> >>> >>>
[Fwd: Re: [Samba] posixAccount for Machines in LDAP?]
Original Message
Subject: Re: [Samba] posixAccount for Machines in LDAP?
From:[EMAIL PROTECTED]
Date:Tue, July 13, 2004 4:54 pm
To: "Paul Gienger" <[EMAIL PROTECTED]>
--
Thanks for getting back to me, Paul.
Here's the domain controllers smb.conf
[global]
workgroup = WarehamPS
encrypt passwords = Yes
time server = Yes
socket options = TCP_NODELAY
security = user
logon script = whs1.bat
writable = Yes
dns proxy = no
directory mask = 02770
preferred master = yes
netbios name = WHS1
server string = RedHat 8.0 LDAP Server
passdb backend = ldapsam
ldap passwd sync = Yes
machine password timeout = 604800
passwd program = /usr/local/samba/bin/smbpasswd %u
passwd chat = *Enter\snew\sUNIX\spassword:* %n\n
*Retype\snew\sUnix\spassword:* %n\n
log file = /var/log/samba.%m
debug level = 2
max log size = 50
add user script = /usr/local/sbin/smbldap-useradd.pl %u
delete user script = /usr/local/sbin/smbldap-useradd.pl %u add
group script = /usr/local/sbin/smbldap-groupadd.pl
delete group script = /usr/local/sbin/smbldap-groupdel.pl
add machine script = /usr/sbin/useradd -c "Computer" -d /dev/null
-s /bin/false -g 502 -M %u; /usr/local/samba/bin/smbpasswd -a -m
%u
logon script = whs1.bat
logon path =
logon drive = H:
logon home =
domain logons = Yes
os level = 64
domain master = Yes
dns proxy = Yes
admin users = @domain_admins
wins support = Yes
name resolve order = wins hosts bcast
ldap suffix = dc=tow,dc=net
ldap machine suffix = ou=Computers
ldap user suffix = ou=Users
ldap group suffix = ou=Groups
ldap admin dn = cn=admin,dc=tow,dc=net
ldap ssl = no
[homes]
comment = Home Directories
read only = no
browseable = no
writable = yes
path = %H
hide files = /.*/
[netlogon]
comment = Netlogon share
root preexec = /usr/local/samba/sbin/prelogon.pl %U
path = /usr/local/samba/netlogon
locking = no
browseable = no
read only = yes
hide files = /*.dll/*.rap/*.kix/*.bat/
[staff]
comment = Staff Directory
path = /accounts/common
browseable = no
create mode = 0660
valid users = @whsstaff
write list = @whsstaff
force group = whsstaff
[programs]
comment = Programs
path = /accounts/programs
valid users = @whsstaff
browseable = no
[adm-pgms$]
comment = Admin Programs
path = /accounts/adm_pgms
browseable = no
valid users = @techstaff
write list = @techstaff
force group = techstaff
create mode = 0660
[images$]
comment = Ghost image files
path = /accounts/images
browseable = no
force group = techstaff
create mode = 0660
valid users = @techstaff
write list = @techstaff
[cafeteria]
path = /accounts/cafeteria/data
browseable = no
valid users = @whs-cafe
force group = whs-cafe
create mode = 0660
directory mode = 0770
[printers]
comment = All Printers
path = /var/spool/samba
valid users = @whsstaff, @techstaff
read only = Yes
printable = Yes
browseable = No
[hp8100]
path = /tmp
comment = HP8100 Laser
browseable = yes
writable = no
printable = yes
printer name = hp8100
[tricker]
path = /accounts/whsart/tricker
comment = WHS Art students
browseable = No
valid users = +tricker
write list = +tricker
force group = tricker
create mode = 0660
directory mode = 0770
[gunnels]
path = /accounts/whsart/gunnels
comment = WHS Art students
browseable = No
valid users = +gunnels
write list = +gunnels
force group = gunnels
create mode = 0660
directory mode = 0770
[einstein]
path = /accounts/whsart/einstein
comment = WHS Art students
browseable = No
valid users = +einstein
write list = +einstein
force group = einstein
create mode = 0660
[PCA]
comment = PC Analyzer files
path = /usr/local/samba/PCAnalyser
browseable = no
force group = techstaff
directory mode = 0770
create mode = 0770
Kent
Wareham Public Schools
> [EMAIL PROTECTED] wrote:
>
>>Hello,
>>I have a question about machine accounts.
>>I using Samba 3.0, OpenLDAP 2.1.30 and Berkeley 4.2.52 on backend on
RedHat
[Samba] posixAccount for Machines in LDAP?
Hello, I have a question about machine accounts. I using Samba 3.0, OpenLDAP 2.1.30 and Berkeley 4.2.52 on backend on RedHat machines. I also have 3 slave/BDC's and 1 master/PDC Right now all of my users and groups exist entirely in the LDAP directory. I have a few accounts in addition to the normal system accounts that are used for emergency access. All authention and group enumeration uses PAM_LDAP with NSS_LDAP. My question is that when I have a machine join the domain, in the LDAP directory an objectclass Account and sambaSAMAccount are created. I still need to create a machine account in /etc/passwd for this to happen. Is there anyone out there that is first creating a posixAccount with appropriate attributes in LDAP then using the Samba/Windows to generate the sambaSAMAccount object and attributes in LDAP also? I was so happy to get all of the user/group stuff consolidated into the directory. Now I see that this is a possibility also but I haven't tried it. Kent N Wareham Public Schools -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] Having issues with rpcclient's adddriver
Hi, I'm trying to add a Windows NT/2000 OKI C5100 print driver to a Samba 2.2.3a server. I've been told that this driver does some server-side stuff, so I'll have to use 'adddriver' in rpcclient. I've read the manual page for rpcclient, and I printed out a 'Windows 2000 Printer Test Page' to get all the relevant information. This is probably just something simple, but I've checked this out a couple of times and keep getting a syntax error. Do I have too many files listed, and if so do I need all of these listed files? [EMAIL PROTECTED]:~$ rpcclient test -U root INFO: Debug class all level = 2 (pid 9287 from pid 9287) Enter Password: session setup ok Domain=[TEST] OS=[Unix] Server=[Samba 2.2.3a-13 for Debian] rpcclient $> adddriver "Windows NT x86" "OKI C5100:IMFNT4.DLL:OPHCWDDM.SDD:SDNTOK.DLL:OP51ENU.HLP:\ OKI HiperC Language Monitor:RAW:ABEXPW32.DLL,CANLKN.PRF,CNNbapie.DLL,\ CNNsCore.DLL,CNPPDCE.DLL,CNXADR.DLL,CNXCOV1.EMF,CNXCOV2.EMF,\ CNXCOV3.EMF,CNXCOVL.EMF,CNXCR.DLL,CNXDMAN.DLL,CNXECR.DLL,CNXP5EE.DLL,\ CNXP5EE0.CNT,CNXP5EE0.HLP,CNXP5EEP.DLL,CNXP5EEU.DLL,CNXPRASX.DLL,\ CNZ005N.ICC,CNZ006N.ICC,CNZ007N.ICC,CNZE15N.ICC,CNZE18N.ICC,\ CNZE21N.ICC,CNZN15N.ICC,CNZN18N.ICC,CNZN21N.ICC,CNZP15N.ICC,\ CNZP18N.ICC,CNZP21N.ICC,CnP5eE.DLL,CnP5eE0.CNT,CnP5eE0.HLP,\ CnP5eEUI.DLL,CnP5eEUM.DLL,DCS.DLL,DCSTBL.DLL,GP300FK.XPD,GP300PK.XPD,\ IMF32.DLL,IMFPRINT.DLL,ML51NSAR.DLL,OK001U2H.CAP,OK009U0H.CCM,\ OK714NHE.VER,OMRDM32.DLL,OP5100.DAT,OP5100.UNZ,OP51ICB.BIN,\ OPCLB002.DLL,OPCST000.DLL,OPDMN004.DLL,OPDVA002.DLL,OPHCRENU.DLL,\ OPHCSENU.DLL,OPHCWDDM.DLL,OPHCWDUI.DLL,OPHCWINF.DAT,OPHCWM00.DAT,\ OPHCWNXS.DLL,OPHCWNXT.DLL,OPHCWS00.DAT,OPNE000C.SCR,OPRCL000.DLL,\ OPS00ENU.DLL,OPS00JPN.DLL,OPUSB000.DLL,QDPRIOK.DLL,RDMWIN32.DLL,\ SDDM.INI,SDDMOK.DLL,SDDMUK.DLL,SDIMFOK.DLL,SDNTUM4.DLL,SDOK.DLL,\ SQMCODER.DLL,SROK.DLL,ZENOCMM.DLL,ZENOICM.DLL,ZGDIOK.DLL,ZLANG.DLL,\ ZSPOOL.DLL,ZSPOOLOK.EXE,ZTAG32.DLL" Usage: adddriver \ :::\ :::\ : I know that looks like a very long list, but that's what the 'Windows 2000 Printer Test Page' told me! I'm assuming that most of those files are related to some kind of monitor that I could perhaps do without. As far as my syntax is concerned I have the files in the right order. Cheers, Tim -- Tim Kent CCNA CNS Wilkinson-Kent Consulting Pty Ltd t +61 7 3862 1963 -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] Upgrade path v 3.0.0 to 3.0.3
Hello all, Just a question on upgrading from Samba 3.0.0 to 3.0.3. I have several servers running 3.0.0 that I want to upgrade.They all use OpenLDAP backend. What I think I should backup are: samba/lib/smb.conf samba/var/locks/*.tdb samba/private/secrets.tdb Wipe the old system, recompile and install the new system, restore above files to appropriate location. Anything else I should backup, or suggestions? -- Kent L. Nasveschuk <[EMAIL PROTECTED]> -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] Logon scripts
Hello Urs, I've been experimenting with RunAsP.exe to do exactly what you are suggesting. By using kixtart script processor you can fork part of your clients that login (2000/XP) to runasp.exe. This can switch user context to an administrator, run a program, then return to the user's context. The only drawback is that they charge $ per client machine. The passwords are kept in an encrypted form in a file that can be launched from the netlogon directory. I've evaluated it enough that to determine that I can't do without it. I've tested it for automating Norton AV virus definition updates from login scripts as well as running older programs that write to priveleged directories, but there are many thing it can be used for. Nobody has written a free version to my knowledge, would be a great project. Good luck -- Kent L. Nasveschuk <[EMAIL PROTECTED]> -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] Samba Release 3.0.1 group enumeration
Hello, I was looking at the release notes for version 3.0.1 and it mentions a bug fix for enumerating group mappings from an LDAP directory. I know the version that I run 3.0.0, is not able to get group membership from an OpenLDAP directory. Could someone just confirm that this is is the case in version 3.0.1? Thanks. -- Kent L. Nasveschuk <[EMAIL PROTECTED]> -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] smb.conf
This is just a quick question, what is the difference between "+" and "@" when using groups for say valid users or write list ex valid users = +staff valid users = @staff -- Kent L. Nasveschuk <[EMAIL PROTECTED]> -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] changing desktop/profiles
hi to all... just one thing that annoys me in a day... that an employee will approach me and tell me that his/her settings was changed i did even disabled the profiles long before so they are using the locally stored cache .. and why does it still change..??? and im also having these error = get_domain_user_groups: primary gid of user [leslie] is not a Domain group ! Jan 19 13:02:31 genesis smbd[3994]: get_domain_user_groups: You should fix it, NT doesn't like that = but this user is in the ntadmins groups as mapped as "domainAdmins" help -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] logging messenger service in windows
hi to all im not sure if i have the appropriate subject to put... but anyways... we have windows workstations(mostly) and a samba3.0 on a rh9... is there a way to log any communications using the windows 'net send' tia kent -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] editing important files with running samba
hello to all... does anyone here worry about the look of their /etc/passwd /etc/group for me, yes i do.. i wanted to separate the users with pc accounts.. but would my network go crazy if i will reset some of the gid and uid and also i've noticed that the file /etc/samba/smbpasswd is also somehow link to the /etc/group ... any advice on how to properly edit things.. tia kent -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Multiple domains on one PDC
im looking forward for this i wish i could setup our network like this... On Tue, 2004-01-13 at 01:56, Peter Depuydt wrote: > Hello, > > Is it possible to maintain multiple domains on a single samba server ? > > If needed we can create an overall masterdomain (eg forest) where the > Current domains could be trees. > > Currently we manage every domain on a separate server and running as > An separate PDC . We would like to maintain an single server . > > Is it possible.. > > Peter Depuydt > -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] disabled roaming profile
ok.. at first i thought this is nice but i seem (still) don't know how to control things so i decided not to use roaming profiles... i disabled it and some of the workstations is now using their local profiles (winNT and winXP) but i have still problems with windows 2000 ... it kept on contacting the server for the profile.. i can't find how to disable the roaming profile in win2k i already tried to do .. MY COMPUTER>>PROPERTIES>>USER PROFILES but it is set on local not roaming... i also tried to search the registry but i don't know that to search for.. pls help.. TIA Kent -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Samba 3.0 PDC+LDAP Help in Fedora Core 1
preciate any > help as I'm just tired of reading and just can't seem to get past adding > a machine. Thanks for any help... > > Jason > > > --- begin ldap.conf > > HOST 127.0.0.1 > BASE dc=test,dc=edu > > end ldap.conf > > > --- begin slapd.conf > > include /etc/openldap/schema/core.schema > include /etc/openldap/schema/cosine.schema > include /etc/openldap/schema/nis.schema > include /etc/openldap/schema/inetorgperson.schema > include /etc/openldap/schema/samba.schema > > pidfile /var/run/slapd.pid > argsfile /var/run/slapd.args > database bdb > suffix "dc=test,dc=edu" > rootdn "cn=root,dc=test,dc=edu" > rootpw testing > > directory /var/lib/ldap > index objectClass eq > index cn pres,sub,eq > index sn pres,sub,eq > index uid pres,sub,eq > index displayName pres,sub,eq > index uidNumber eq > index gidNumber eq > index memberUid eq > index sambaSID eq > index sambaPrimaryGroupSID eq > index sambaDomainName eq > index default sub > > end slapd.conf > > > begin smb.conf > [global] > passdb backend = ldapsam > ldap suffix = "dc=test,dc=edu" > ldap machine suffix = ou=Computers > ldap user suffix = ou=Users > ldap group suffix = ou=Groups > ldap admin dn = "cn=root,dc=test,dc=edu" > ldap ssl = no > idmap backend = ldap:ldap://127.0.0.1 > passwd chat debug = Yes > passwd program =/usr/local/sbin/smbldap-passwd.pl -o %u > passwd chat = *new*password* %n\n *new*password:* %n\ *successfully* > socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 Never used the IDEALX scripts. Right now I use a shell script to batch add computers and users. > add machine script = /usr/local/sbin/smbldap-useradd.pl -w %m > add user script = /usr/local/sbin/smbldap-useradd.pl -a %u > delete user script = /usr/local/sbin/smbldap-userdel.pl %u > add group script = /usr/local/sbin/smbldap-groupadd.pl %g > delete group script = /usr/local/sbin/smbldap-groupdel.pl %g > add user to group script = /usr/local/sbin/smbldap-groupmod.pl -m %u %g > delete user from group script = /usr/local/sbin/smbldap-groupmod.pl -x %u %g > set primary group script = /usr/local/sbin/smbldap-usermod.pl -G %g %u > workgroup = TEST > netbios name = donald > comment = test samba pdc > security = user > null passwords = yes > encrypt passwords = yes > logon script=logon.bat > logon drive = > logon path = > domain master = yes > domain logons = yes > preferred master = yes > os level = 33 > wins support = yes > wins proxy = no > log file = /var/log/samba/%m.log > public = No > browseable = yes > writable = No > > ; necessary share for domain controller > [netlogon] > path = /netlogon > locking = no > read only = yes > write list = ntadmin > > ;test share > [tmp] > writeable = yes > public = yes > path = /tmp > > [profiles] > path = /profiles > read only = no > writeable = yes > create mask = 0600 > directory mask = 0700 > > end smb.conf --- One other thing I found that would cause problems adding a computer to a domain. Duplicate names. If you use ghost disk imaging this is a common problem. -- Kent L. Nasveschuk <[EMAIL PROTECTED]> -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Secondary, tertiary group problems in Samba LDAP
I don't, is it essential for this to work correctly? On Fri, 2004-01-09 at 10:52, Gerald (Jerry) Carter wrote: > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA1 > > On 7 Jan 2004, Kent L. Nasveschuk wrote: > > > Hello, > > I found an interesting thing that I don't know if it is a bug, by design > > or I need to be doing something that I'm not but here goes. > > > > My system > > RedHat 8.0 (1) PDC with LDAP 2.1.23 backend master, > > (3) BDC with LDAP slave backend. All are Samba 3.0. > > > > I had a probelem with secondary, tertiary etc groups that people belong > > to and Samba recognizing these groups if they were stored in LDAP. The > > primary group was no problem. When I created shares but used > > "@groupname" for valid users or write list, Samba would fail to get > > that info from LDAP. They needed to be in /etc/group to work. As soon as > > I added users in secondary groups to /etc/group users were recognized > > and rights were assigned. > > do you have nss_ldap setup correctly? > > > > > > > > cheers, jerry > -- > Hewlett-Packard- http://www.hp.com > SAMBA Team -- http://www.samba.org > GnuPG Key http://www.plainjoe.org/gpg_public.asc > "If we're adding to the noise, turn off this song" --Switchfoot (2003) > -BEGIN PGP SIGNATURE- > Version: GnuPG v1.2.0 (GNU/Linux) > Comment: For info see http://quantumlab.net/pine_privacy_guard/ > > iD8DBQE//s5YIR7qMdg1EfYRApHUAKDfecFReHBdV4XU8femIsKXkbdR5wCg6Rxa > 2DWV4KTXVLdyl22z1Tkcjzs= > =ptcK > -END PGP SIGNATURE- -- Kent L. Nasveschuk <[EMAIL PROTECTED]> -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] roaming profiles...
On Fri, 2004-01-09 at 10:45, Kent L. Nasveschuk wrote: > I don't use roaming profile for this reason. i didn't enable this in the first place, but with my first logon pc it is what the error says that i can't connect to the \\server\profiles ... so i was thinking that maybe they needed it most so i just find ways to enable it... > You tell 'em don't store everything on the desktop or it will take a long time to > login, and they > do the opposite. some users forgets... > There is no advantage to these in my opinion also. for me maybe yes... if ever i will reformat that pc ... then i have same desktop and some (small) files > I don't have the advantage of having many machines that are identical in > terms of software installed. A person that moves to another machine is > going to have a bunch of icons that lead nowhere. > I'm content with storing profiles on the local machine. i guess i can disable this option and go to local profiles > > Say, where'd you get that first name Kent? errr... i don't know ... but maybe from my grandpa... he is a US citizen (i think) > > On Thu, 2004-01-08 at 05:19, kent E. wrote: > > hey guys i want to hear your experience regarding this situation > > > > got this one user who store lots of big chunk files in his "My > > Documents" folder now as she logs out ... it took us several minutes for > > us to be able to shut down... > > > > how to take care of this? can i select which to include in the roaming > > files ... > > > > TIA > > Kent -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: WAS: Re: [Samba] net groupmap / domain admins problem - Amazon prize
John, I actually did try this out +, I don't believe I could get it to work. I tryed many variations. I guess I need to experiment more with how nsswitch.conf and how pam is configured. I'm not real knowledgeable in this area. I found an interesting work around for those of you looking for mapping drives from login scripts based on secondary + groups. /etc/group dusers:x:500: staff:x:680:kent,fred,joe /etc/passwd kent:x:4044:500::/accounts/staff/kent:/bin/bash ksnider:x:4045:500::/accounts/staff/fred:/bin/bash joe:x:4045:500::/accounts/staff/joe:/bin/bash Users primary group is dusers 500 but have secondary group staff 680. In netlogon directory I put directory same name as share for example: netlogon/staff-files In the directory put single file secured by directory permissions example: netlogon/staff-files/readme directory permissions on staff-files directory in netlogon (0750) drwxr-x---2 root staff 4096 Jan 7 07:40 staff-files share is smb.conf: [staff-files] comment = Staff Files path = /accounts/staff/staff-files valid users = @staff write list = @staff In netlogon script reads as follows: if exist \\SERVERNAME\netlogon\staff-files net use S: \\SERVERNAME\staff-files Samba checks local Linux groups and if user is in group he/she is capable of reading file, drive is mapped. Of course I wish all this info was in LDAP so I wouldn't have to mess with local groups but Christmas has gone by and I didn't find this solution in my stocking. I can't take any credit for this idea. I found it in a 1999 posting but it's a temporary fix for something that I believe many of us are seeking. Just have to say this stuff is marvelous. I've been utterly frustrated and amazed at the versatilaty of Samba. Thanks for you support. On Thu, 2004-01-08 at 03:54, John H Terpstra wrote: > Hansjoerg, > > Instead of: > valid users = @Groupe > > Please try: > valid users = +Groupe > > Thanks. > > - John T. > > > On Thu, 8 Jan 2004, Hansjoerg Maurer wrote: > > > Hi > > > > thank you, for your fast replay. > > I have a user sporer > > [EMAIL PROTECTED] root]# id -a sporer > > uid=1000(sporer) gid=1000(sensodrivegroup) > > Gruppen=1000(sensodrivegroup),1001(managementgroup) > > > > The user and the group is in ldap and nss_ldap seems to work.. > > [EMAIL PROTECTED] root]# getent group > > root:x:0:root > > > > Domain Admins:x:912: > > Domain Users:x:913: > > Domain Guests:x:914: > > Administrators:x:944: > > Users:x:945: > > Guests:x:946: > > Power Users:x:947: > > Account Operators:x:948: > > Server Operators:x:949: > > Print Operators:x:950:Administrator > > Backup Operators:x:951: > > Replicator:x:952: > > Domain Computers:x:953: > > sensodrivegroup:x:1000:sporer,haehnle,sporers,unterholzner,geist,bertleff,hauschild,sensodrive,root > > managementgroup:x:1001:management,root,haehnle,sporer,sporers > > > > I am using > > [EMAIL PROTECTED] root]# rpm -q nss_ldap > > nss_ldap-207-3 > > > > on RH9 > > > > Within samba I have to shares > > [Projekte] > >comment = Sensodrive-Projekte > >path = /home/sensodrive > >force group = sensodrivegroup > >force user = sensodrive > >valid users = @sensodrivegroup,root > > > > [Management] > >comment = Sensodrive-Management > >path = /home/management > >force group = managementgroup > >force user = management > >valid users = @managementgroup,root > > > > Every user can access the Projekte share, because the primary group of > > every user is sensodrivegroup. > > When user sporer tries to acess the Management share, he gets > > user 'sporer' (from session setup) not permitted to access this share > > (Management) > > > > If I add the user sporer by his username to valid users it works > >valid users = @managementgroup,root,sporer,haehnle,sporers > > > > Maybe this helps to solve the problem > > If you need more information, or further testing give me a note > > > > Thank you very much > > > > Greetings > > > > HansjÃrg > > > > > > > > > > John H Terpstra wrote: > > > > >On Thu, 8 Jan 2004, Hansjoerg Maurer wrote: > > > > > > > > > > > >>Hi > > >> > > >>i have a question related to the groupmapping with ldapsam as backend. > > >>You discribed, that groupentries have to be in /etc/group with tdbsam as > > >>backend. > > >> > > >>I
[Samba] roaming profiles...
hey guys i want to hear your experience regarding this situation got this one user who store lots of big chunk files in his "My Documents" folder now as she logs out ... it took us several minutes for us to be able to shut down... how to take care of this? can i select which to include in the roaming files ... TIA Kent -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] user administrator rights
hi to all i have just successfully created a samba PDC ... now i added users and machine accounts ... but how to give administrative rights in the users? or it is really built-in ... for security purposes Kent -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] Secondary, tertiary group problems in Samba LDAP
Hello, I found an interesting thing that I don't know if it is a bug, by design or I need to be doing something that I'm not but here goes. My system RedHat 8.0 (1) PDC with LDAP 2.1.23 backend master, (3) BDC with LDAP slave backend. All are Samba 3.0. I had a probelem with secondary, tertiary etc groups that people belong to and Samba recognizing these groups if they were stored in LDAP. The primary group was no problem. When I created shares but used "@groupname" for valid users or write list, Samba would fail to get that info from LDAP. They needed to be in /etc/group to work. As soon as I added users in secondary groups to /etc/group users were recognized and rights were assigned. As a side note each line of /etc/group is limited to 1024 bytes, so there is a limit on how many users you can add to a group using /etc/group. If you exceed that when the system scans the /etc/group file, it will fail at the line >1024 bytes and any groups below will fail to be recognized. I believe that this is a bug. If you do "ls" on a directory or "id " where one of the entries in your /etc/group has exceeded the limit, the groups will show as numbers and not a group name. Can I use pam_winbindd to extract group membership from LDAP at this time for secondary, tertiary etc groups? -- Kent L. Nasveschuk <[EMAIL PROTECTED]> -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] problems with profiles and netlogon
newbie here.. my samba3.0 sits on a redhat9 and i have a winNT4.0 logging into it.. the name of the ntPC is cpu3 now.. im not sure what to put into my profiles and netlogon.. here is a the log of the specific workstation [2004/01/07 18:47:10, 2] smbd/sesssetup.c:setup_new_vc_session(535) setup_new_vc_session: New VC == 0, if NT4.x compatible we would close all old resources. [2004/01/07 18:47:32, 2] auth/auth.c:check_ntlm_password(302) check_ntlm_password: authentication for user [cpu3] -> [cpu3] -> [cpu3] succeeded [2004/01/07 18:47:35, 2] auth/auth.c:check_ntlm_password(302) check_ntlm_password: authentication for user [cpu3] -> [cpu3] -> [cpu3] succeeded [2004/01/07 18:47:35, 0] smbd/service.c:make_connection_snum(670) '/etc/samba/profiles' does not exist or is not a directory, when connecting to [profiles] [2004/01/07 18:47:35, 0] smbd/service.c:make_connection_snum(670) '/etc/samba/profiles' does not exist or is not a directory, when connecting to [profiles] [2004/01/07 18:47:51, 0] smbd/service.c:make_connection_snum(670) '/etc/samba/netlogon' does not exist or is not a directory, when connecting to [netlogon] [2004/01/07 18:47:52, 2] smbd/service.c:make_connection_snum(384) user 'cpu3' (from session setup) not permitted to access this share (cpu3) [2004/01/07 18:47:52, 2] smbd/service.c:make_connection_snum(384) user 'cpu3' (from session setup) not permitted to access this share (cpu3) [2004/01/07 18:47:52, 0] smbd/service.c:make_connection_snum(670) '/etc/samba/netlogon' does not exist or is not a directory, when connecting to [netlogon] [2004/01/07 18:47:52, 0] smbd/service.c:make_connection_snum(670) '/etc/samba/netlogon' does not exist or is not a directory, when connecting to [netlogon] [2004/01/07 18:47:52, 0] smbd/service.c:make_connection_snum(670) '/etc/samba/netlogon' does not exist or is not a directory, when connecting to [netlogon] a snippet of my smb.conf [netlogon] comment = Network Logon Service path = /etc/samba/netlogon public = yes read only = yes valid users = @cdr browseable = no [profiles] path = /etc/samba/profiles writable = yes create mask = 0600 directory mask = 0700 browseable = no ; valid users = root @cdr -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
RE: [Samba] simple question
thanks that works but i have another problem ... ill be posting it in another thread On Wed, 2004-01-07 at 17:16, FermÃn Galán Márquez wrote: > As far I know, you cannot use the same name for users and a machines > account. > > This is the way that I follow to create machine accounts: > > 1. Create a "user" account in /etc/passwd (note the '$') > > # useradd cpu3$ > > 2. Create the machine account with smbpasswd (note now '$' is not in the > name) > > # smbpasswd -a -m cpu3 > > I hope this may help you... > > -- > FermÃn > > -Mensaje original- > De: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] En nombre > de kent E. > Enviado el: miércoles, 07 de enero de 2004 9:26 > Para: samba > Asunto: [Samba] simple question > > i just got confused in creating machine accounts in my samba server > > 1rst creating the user > [EMAIL PROTECTED] root]# smbpasswd -a cpu3 > New SMB password: > Retype new SMB password: > Added user cpu3. > > than adding the machine... > [EMAIL PROTECTED] root]# smbpasswd -a -m cpu3$ > Failed initialise SAM_ACCOUNT for user cpu3$. > Failed to modify password entry for user cpu3$ > [EMAIL PROTECTED] root]# > > what am i missing... (still googling...) > > TIA > Kent > -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] simple question
i just got confused in creating machine accounts in my samba server 1rst creating the user [EMAIL PROTECTED] root]# smbpasswd -a cpu3 New SMB password: Retype new SMB password: Added user cpu3. than adding the machine... [EMAIL PROTECTED] root]# smbpasswd -a -m cpu3$ Failed initialise SAM_ACCOUNT for user cpu3$. Failed to modify password entry for user cpu3$ [EMAIL PROTECTED] root]# what am i missing... (still googling...) TIA Kent -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] How do I get Winbind accounts in LDAP?
I've seen this posting before but I need to get a grasp on this. I am using winbindd for users that don't have a local account on a Linux box. I thought that placing the entries below in the smb.conf would create users in ou=Idmap. Instead the ou=Idmap increments the uidNumber with every user that is added,but the user ID mappings are stored in /usr/local/var/locks/winbindd_idmap.tdb. What entry in smb.conf will change this. These are the applicable portions of smb.conf. ldap suffix = dc=tow,dc=net ldap machine suffix = ou=Computers ldap user suffix = ou=Users ldap group suffix = ou=Groups ldap admin dn = cn=admin,dc=tow,dc=net ldap ssl = no idmap backend = ldap:ldap://127.0.0.1 ldap idmap suffix = ou=Idmap winbind separator = + idmap uid = 4-5 idmap gid = 4-5 winbind enum users = yes winbind enum groups = yes template homedir = /accounts/default/%D/%U template shell = /bin/bash winbind use default domain = yes winbind cache time = 15 obey pam restrictions = yes So I use wbinfo -c . This returns a RID number. User can now login or use smbclient -L localhost -U and get available shares on this BDC. In LDAP directory is incremented by 1, but there are no entries. How do I move the entries that are stored in /usr/local/var/locks/winbindd_idmap.tdb to the LDAP directory? What I've omitted in all this is that pam and pam_winbind is setup correctly, which I believe it is. -- Kent [EMAIL PROTECTED] [EMAIL PROTECTED] Tips:--> "OpenOffice.org ... Stops Word macro viruses DEAD!" "Postgresql.org ... Don't 'kill -9' the postmaster" "Technology is legislation - C. Einfeldt on OO.o discuss list" -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Several people on this mailing list have the W32/Swen@MM virus
I get these often, but I use Linux as a desktop machine so it's not from me. On Fri, 2004-01-02 at 08:07, Rob Taft wrote: > Ever since I signed up for this mailing list and sent my first question, I have been > bombarded with the W32/[EMAIL PROTECTED] and the emails aren't all from the same > person. Is anyone else experiencing this? > > Rob -- Kent L. Nasveschuk <[EMAIL PROTECTED]> -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] Winbind not quite working yet
Hello, I'm trying to get Winbind to authenticate users that don't have local accounts on a SAMBA BDC. I have (3) BDCs (1) PDC running OpenLDAP 2.1.23 pass backend and Samba 3.0. These are on RedHat 8.0 systems. 3 BDC are also slave LDAP and 1 master directory server on the PDC. I went through the Samba documentation CH21 and made modifications to the BDCs and PDC as follows: nsswitch.conf files winbind for passwd and group pam.d/login #%PAM-1.0 #auth required /lib/security/pam_securetty.so auth sufficient /lib/security/pam_winbind.so auth sufficient /lib/security/pam_unix.so use_first_pass auth required /lib/security/pam_stack.so service=system-auth auth required /lib/security/pam_nologin.so accountsufficient /lib/security/pam_winbind.so accountrequired /lib/security/pam_stack.so service=system-auth password required /lib/security/pam_stack.so service=system-auth sessionrequired /lib/security/pam_stack.so service=system-auth sessionoptional /lib/security/pam_console.so pam.d/samba #%PAM-1.0 #authrequired/lib/security/pam_stack.so service=system-auth #account required/lib/security/pam_stack.so service=system-auth authrequired/lib/security/pam_nologin.so authrequired/lib/security/pam_pwdb.so nullok shadow authrequired/lib/security/pam_stack.so service=system-auth account required/lib/security/pam_winbind.so account required/lib/security/pam_pwdb.so account required/lib/security/pam_stack.so service=system-auth session required/lib/security/pam_stack.so service=system-auth password required /lib/security/pam_stack.so service=system-auth pam.d.system-auth #%PAM-1.0 authsufficient/lib/security/pam_winbind.so authrequired /lib/security/pam_env.so authsufficient/lib/security/pam_unix.so likeauth nullok use_first_pass authrequired /lib/security/pam_deny.so account sufficient/lib/security/pam_winbind.so account required /lib/security/pam_unix.so passwordrequired /lib/security/pam_cracklib.so retry=3 type= passwordsufficient/lib/security/pam_unix.so nullok use_authtok md5 shadow passwordrequired /lib/security/pam_deny.so session required /lib/security/pam_mkhomedir.so umask=0022 session required /lib/security/pam_limits.so session required /lib/security/pam_unix.so pam_winbind.s is in /lib/security libnss_winbind.so and symbolic link to it from libnss_winbind.so.2 smb.conf ... winbind separator = + idmap uid = 1-2 idmap gid = 1-2 winbind enum users = yes winbind enum groups = yes template homedir = /accounts/default/%D/%U template shell = /bin/bash winbind use default domain = yes ... If I run smbclient on a BDC: smbclient -L localhost -U fred where fred is a local account I get shares and an appropriate response. When I check the logs, samba.bdc name it indicates that samba is getting information from the LDAP directory, including password. When I do the same for a person without a local account, the LDAP directory returns user found but : session setup failed: NT_STATUS_LOGON_FAILURE Also when I run getent passwd as root I only get local accounts. When I run wbinfo -u I get all users in the LDAP directory, wbinfo -g only domain groups no local groups. Any help would be appreciated. I'm a little stumped with this one. -- Kent [EMAIL PROTECTED] [EMAIL PROTECTED] Tips:--> "OpenOffice.org ... Stops Word macro viruses DEAD!" "Postgresql.org ... Don't 'kill -9' the postmaster" "Technology is legislation - C. Einfeldt on OO.o discuss list" -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] installing gui interfaces for samba
On Mon, 2003-12-29 at 23:06, Andrew Gaffney wrote: > kent E. wrote: > > i've browse the web and found 'Smb4K - An SMB share browser for KDE' > > since this is something similar like a windows sharing this would be > > safer for our newbie(unix) users but i have problem installing the > > package > > > > === > > checking for Qt... configure: error: Qt (>= Qt 3.1 (20021021)) (headers > > and libraries) not found. Please check your installation! > > For more details about this problem, look at the end of config.log. > > > > > > i already installed the qt ver 3.1++ > > > > [EMAIL PROTECTED] smb4k-0.3.1]# rpm -qa qt > > qt-3.1.1-6 > > > > You might want to try to find an RPM for your distro for that program. yes. i already did install the rpm version of the distro.. i think before(by default) it is 3.0 > Another good SMB browser I've found is Xfsamba. ok i will check it out. -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] installing gui interfaces for samba
i've browse the web and found 'Smb4K - An SMB share browser for KDE' since this is something similar like a windows sharing this would be safer for our newbie(unix) users but i have problem installing the package === checking for Qt... configure: error: Qt (>= Qt 3.1 (20021021)) (headers and libraries) not found. Please check your installation! For more details about this problem, look at the end of config.log. i already installed the qt ver 3.1++ [EMAIL PROTECTED] smb4k-0.3.1]# rpm -qa qt qt-3.1.1-6 but still don't know whats missing ... guyz can u help me up... TIA Kent -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] Valid users as group fails
Just wondering if anyone is experiencing a similar problem. System: RedHat 8.0 Samba 3.0 LDAP 2.1.23 vaild users on a share fails yet individual users works. I've seen other posts similar to this. Users have a memberUID entry directory in LDAP. The Linux box has group 506 mapped to sambaSid Sxxx...-2013 Where can I look for problems? -- Kent L. Nasveschuk <[EMAIL PROTECTED]> -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] Samba BDC doesn't talk to LDAP slave on same machine
Hello,
I can't get my BDC to talk to the LDAP slave running on the same
machine. Replication between slave and master works but samba on the BDC
doesn't appear to be communicating with the slave LDAP server.
Everything off the PDC works fine.
--
smb.conf on BDC
--
[global]
workgroup = WarehamPS
encrypt passwords = Yes
time offset = 60
time server = Yes
socket options = TCP_NODELAY
security = user
logon script = netlogon.bat
writable = Yes
dns proxy = no
directory mask = 02770
preferred master = yes
netbios name = Decas2
server string = RedHat 8.0 Samba LDAP
passdb backend = ldapsam:"ldap://172.16.0.3 ldap://127.0.0.1";
ldap passwd sync = Yes
machine password timeout = 604800
passwd program = /usr/local/samba/bin/smbpasswd %u
passwd chat = *Enter\snew\sUNIX\spassword:* %n\n
*Retype\snew\sUnix\spassword:* %n\n
log file = /var/log/samba.%m
debug level = 2
max log size = 50
add user script = /usr/local/sbin/smbldap-useradd.pl %u
delete user script = /usr/local/sbin/smbldap-useradd.pl %u
add group script = /usr/local/sbin/smbldap-groupadd.pl
delete group script = /usr/local/sbin/smbldap-groupdel.pl
add machine script = /usr/local/samba/bin/smbpasswd -a -m %u
logon script = netlogon.bat
logon path =
logon drive = H:
logon home =
domain logons = Yes
os level = 64
domain master = No
dns proxy = Yes
admin users = @domain_admins
wins support = no
wins server = 172.16.0.3
wins proxy = no
name resolve order = wins hosts bcast
ldap suffix = dc=tow,dc=net
ldap machine suffix = ou=Computers
ldap user suffix = ou=Users
ldap group suffix = ou=Groups
ldap admin dn = cn=admin,dc=tow,dc=net
ldap ssl = no
[homes]
comment = Home Directories
read only = no
browseable = no
writable = yes
path = %H
# valid users = %S
hide files = /.*/
[netlogon]
comment = Netlogon share
path = /usr/local/samba/netlogon
locking = no
browseable = no
read only = yes
write list = @domain_admins
[programs]
comment = Programs
path = /accounts/programs
[printers]
comment = All Printers
path = /var/spool/samba
read only = Yes
printable = Yes
browseable = No
--
slapd.conf ond BDC
--
# $OpenLDAP: pkg/ldap/servers/slapd/slapd.conf,v 1.8.8.4 2000/08/26
17:06:18 kurt Exp $
include /usr/local/etc/openldap/schema/core.schema
include /usr/local/etc/openldap/schema/cosine.schema
include /usr/local/etc/openldap/schema/inetorgperson.schema
include /usr/local/etc/openldap/schema/nis.schema
include /usr/local/etc/openldap/schema/samba.schema
databaseldbm
suffix "dc=tow,dc=net"
rootdn "cn=admin,dc=tow,dc=net"
rootpw {SSHA}bbcOI00dfOOJdNCsuFfWf8forJC/Q2P8
directory /usr/local/var/openldap-slurp/wareham
updatedn"cn=admin,dc=tow,dc=net"
updateref "ldap://172.16.0.3";
schemacheck on
lastmod on
# Indices to maintain
#index objectClass eq
index objectClass,uid,uidNumber,gidNumber eq
#index cn,mail,surname,givenname eq,subinitial
index cn,snpres,eq,sub
access to dn=".*dc=tow,dc=net"
by self write
by * read
access to attrs=userPassword,sambaNTPassword,sambaLMPassword
by dn="cn=root,ou=Users,dc=tow,dc=net" write
by self write
# by anonymousauth
by * none
--
LDAP.conf on BDC
--
# $OpenLDAP: pkg/ldap/libraries/libldap/ldap.conf,v 1.9 2000/09/04
19:57:01 kurt Exp $
#
# LDAP Defaults
#
# See ldap.conf(5) for details
# This file should be world readable but not world writable.
BASEdc=tow,dc=net
URI ldap://172.16.151.254
host172.16.151.254 172.16.0.20
ldap_version 3
#SIZELIMIT 12
#TIMELIMIT 15
#DEREF never
--
Kent L. Nasveschuk <[EMAIL PROTECTED]>
--
To unsubscribe from this list go to the following URL and read the
instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] Winbindd
The message I got from Jerry Carter yesterday says that Winbindd is only required for trust accounts between 2 domains. I was confused also, the documentation seems to lead one to the contrary. -- Kent L. Nasveschuk <[EMAIL PROTECTED]> -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] Authenticating to BDC with LDAP backend
Hello, I'm still trying to get this straightened out. I have the following system: System description RedHat 8.0 LDAP 2.1.23 Samba 3.0 I have basically 2 BDC that I want users to have home directories on. These also run LDAP backend as slave servers. Do all machines using the domain need to have machine accounts on the PDC or do some that use the BDC for home directories need to have machine accounts on the BDC? Any help or suggestions would be appreciated. -- Kent L. Nasveschuk <[EMAIL PROTECTED]> -- Kent L. Nasveschuk <[EMAIL PROTECTED]> -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Winbind pdc bdc problem
Thanks, guess I don't need it then. I wasn't quite sure what the full function was for winbindd. On Tue, 2003-12-16 at 10:01, Gerald (Jerry) Carter wrote: > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA1 > > Kent L. Nasveschuk wrote: > > | Do I need to use winbind between pdc and bdc if I'm > | using LDAP backend? > > On a Samba DC, Winbindd is only needed when the DC's have > established trusts with other domains (and you need > winbindd to generate accounts for the trusted users > and groups). > > > - -- > ciao, jerry > ~ -- > ~ Hewlett-Packard- http://www.hp.com > ~ SAMBA Team -- http://www.samba.org > ~ GnuPG Key http://www.plainjoe.org/gpg_public.asc > ~ "If we're adding to the noise, turn off this song" --Switchfoot (2003) > -BEGIN PGP SIGNATURE- > Version: GnuPG v1.2.1 (GNU/Linux) > Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org > > iD8DBQE/3x5NIR7qMdg1EfYRAu0aAJ0bf1xldkSU72onr/iL1l9wl70n1QCfTi+f > pj/6UNQJrMakJb0dUhTVO1E= > =nmX/ > -END PGP SIGNATURE- -- Kent L. Nasveschuk <[EMAIL PROTECTED]> -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] Winbind pdc bdc problem
Do I need to use winbind between pdc and bdc if I'm using LDAP backend? I have a PDC setup with LDAP master on backend and a BDC with slave LDAP in another building.I'm just having a problem with getting users to authenticate and use the BDC for home directories and exactly how to have W2k clients join the domain.. The BDC is in another building (connected by a slow connection) so it needs to have a copy of LDAP for authentication purposes. I've tested LDAP replication and it works fine and receives updates from the master. The PDC does everthing that it should. I can join W2k clients, and users can get to their home directories. My problem is in Samba and how to configure the BDC for users to use it. System description RedHat 8.0 LDAP 2.1.23 Samba 3.0 Any help or suggestions would be appreciated. -- Kent L. Nasveschuk <[EMAIL PROTECTED]> -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] Re: Re: Can't access remote server
2934 ?S 0:04 nmbd -D So nmbd is running. That's what've been guessing. But why is it that it is not responding to remote inquiries? "Joel Hammer" <[EMAIL PROTECTED]> wrote in message news:[EMAIL PROTECTED] > What does ps ax | grep nmbd show on the box you can't connect to? > Sometimes nmbd exits if there is an error of some sort or another. > Joel > > On Thu, Dec 11, 2003 at 01:28:35PM -0600, Kent Wang wrote: > > I've run iptables -L and iptables -t nat -L and there are no settings. I've > > setup iptables lots of times before so I'm pretty familiar with it. > > > > A few things that are bugging me is that I have a smb entry in my > > /etc/rc.d/init.d but no nmbd entry. Has this been merged into one entry? It > > doesn't seem like my nmb functionality is actually broken as nmblookup -B > > webdev.ic2.org __SAMBA__ runs successfully on the server. > > > > However, this command when run from a remote machine fails: > > > > [EMAIL PROTECTED] kwang]$ nmblookup -B webdev.ic2.org __SAMBA__ > > querying __SAMBA__ on 128.83.222.87 > > name_query failed to find name __SAMBA__ > > > > DIAGNOSIS.txt has been pretty helpful, but I'm stuck on Test 8. I'm not sure > > how to "fixup the nmbd installation" but I've managed to do all the other > > recommended solutions with no success. > > > > Anyway, thanks for your help so far. > > > > Kent Wang > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: http://lists.samba.org/mailman/listinfo/samba > -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] Re: Can't access remote server
I've run iptables -L and iptables -t nat -L and there are no settings. I've setup iptables lots of times before so I'm pretty familiar with it. A few things that are bugging me is that I have a smb entry in my /etc/rc.d/init.d but no nmbd entry. Has this been merged into one entry? It doesn't seem like my nmb functionality is actually broken as nmblookup -B webdev.ic2.org __SAMBA__ runs successfully on the server. However, this command when run from a remote machine fails: [EMAIL PROTECTED] kwang]$ nmblookup -B webdev.ic2.org __SAMBA__ querying __SAMBA__ on 128.83.222.87 name_query failed to find name __SAMBA__ DIAGNOSIS.txt has been pretty helpful, but I'm stuck on Test 8. I'm not sure how to "fixup the nmbd installation" but I've managed to do all the other recommended solutions with no success. Anyway, thanks for your help so far. Kent Wang "Joel Hammer" <[EMAIL PROTECTED]> wrote in message news:[EMAIL PROTECTED] > How are you so sure there are "no firewall settings." These things tend > to get turned on my default. > Walk thru DIAGNOSIS.txt. For example, can you ping the samba server? > What do you see with, let me recall, iptables -L (?), might be the command. > > Joel > > On Mon, Dec 08, 2003 at 10:58:48AM -0600, Kent Wang wrote: > > RedHat 9, samba-2.2.7a-8.9.0. Fresh install. No iptables or any firewall > > settings. > > > > I can access my server fine locally with smbclient, but using smbclient from > > a machine located in a network I get this: > > > > [EMAIL PROTECTED] kwang]$ smbclient //webdev.ic2.org/home > > added interface ip=24.243.211.67 bcast=24.243.223.255 nmask=255.255.240.0 > > added interface ip=192.168.0.2 bcast=192.168.0.255 nmask=255.255.255.0 > > error connecting to 128.83.222.87:139 (No route to host) > > Error connecting to 128.83.222.87 (No route to host) > > Connection to webdev.ic2.org failed > > > > Attempting this through Windows Explorer also fails. > > > > My hosts allow and hosts deny are both blank. > > > > Are there any settings that I need to check to enable the server to respond > > to outside connections? > > > > Thanks, > > Kent Wang > > IC2 Institute > > > > > > > > -- > > To unsubscribe from this list go to the following URL and read the > > instructions: http://lists.samba.org/mailman/listinfo/samba > -- > To unsubscribe from this list go to the following URL and read the > instructions: http://lists.samba.org/mailman/listinfo/samba > -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] Can't access remote server
RedHat 9, samba-2.2.7a-8.9.0. Fresh install. No iptables or any firewall settings. I can access my server fine locally with smbclient, but using smbclient from a machine located in a network I get this: [EMAIL PROTECTED] kwang]$ smbclient //webdev.ic2.org/home added interface ip=24.243.211.67 bcast=24.243.223.255 nmask=255.255.240.0 added interface ip=192.168.0.2 bcast=192.168.0.255 nmask=255.255.255.0 error connecting to 128.83.222.87:139 (No route to host) Error connecting to 128.83.222.87 (No route to host) Connection to webdev.ic2.org failed Attempting this through Windows Explorer also fails. My hosts allow and hosts deny are both blank. Are there any settings that I need to check to enable the server to respond to outside connections? Thanks, Kent Wang IC2 Institute -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] Help with home directories on BDC using LDAP
Hello, I'm having problems with creating machine accounts with W2K clients connecting to a Samba server that is also a BDC.I'm using LDAP as a backend for Samba 3.0. I have LDAP running as a master on the PDC and slave on the BDC. I am unsure where to create the UNIX machine accounts for clients that will be using the BDC for home directories. Do the machine accounts (computername$) need to be created on the PDC or the BDC? I am able to authenticate to the BDC and access shares as a user but when I attempt to join the domain with it fails unless I have the machine account on the PDC. Any help would be appreciated. -- Kent L. Nasveschuk <[EMAIL PROTECTED]> -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Samba LDAP multiple servers
Thank you. I have set up one server as BDC and slave LDAP to master. The
others should be easy now that I have one set up. The only way I was
able to achieve replication was using the rootdn account. In the slave
slapd.conf one specifies the updatedn and updateref. Is there any place
to put a password if bindmethod is simple? I believe that is the
problem. I configured write access to a replication account as:
slave slapd.conf...
# $OpenLDAP: pkg/ldap/servers/slapd/slapd.conf,v 1.8.8.4 2000/08/26
17:06:18 kurt Exp $
include /usr/local/etc/openldap/schema/core.schema
include /usr/local/etc/openldap/schema/cosine.schema
include /usr/local/etc/openldap/schema/inetorgperson.schema
include /usr/local/etc/openldap/schema/nis.schema
include /usr/local/etc/openldap/schema/samba.schema
databaseldbm
suffix "dc=tow,dc=net"
rootdn "cn=admin,dc=tow,dc=net"
rootpw {SSHA}bbcOI00dfOOJdNCsuFfWf8forJC/Q2P8
directory /usr/local/var/openldap-slurp/wareham
updatedn"uid=hugo,ou=users,dc=tow,dc=net"
updateref "ldap://172.16.0.3";
schemacheck on
lastmod on
# Indices to maintain
#index objectClass eq
index objectClass,uid,uidNumber,gidNumber eq
#index cn,mail,surname,givenname eq,subinitial
index cn,snpres,eq,sub
access to dn=".*dc=tow,dc=net"
by self write
by dn="uid=hugo,ou=users,dc=tow,dc=net" write
by * read
access to attrs=userPassword,sambaNTPassword,sambaLMPassword
by dn="cn=hugo,ou=Users,dc=tow,dc=net" write
by self write
by anonymousauth
by * none
When I start slapd -d1 I can watch attempts to update from the master
but it doesn't occur.
Suggestions?
CH 6 samba-howto collection helped with setup also.
On Wed, 2003-11-26 at 14:34, Patrick wrote:
> Adam Williams wrote:
>
> >>I have 1 Samba 3.0 server with LDAP 2.1.23 running on backend from the same
> >>machine. These are both RedHat 8.0. I have 2 other servers I would like to use the
> >>same LDAP directory. I used net join to join the servers to the domain. Prior to
> >>joining the domain the the servers had no SID. After using net join they got a new
> >>SID (net getlocalsid). In the LDAP directory what SID base should be attached to
> >>users and computers that I add? The original Domain SID?
> >>
> >>
> >
> >You should really add users VIA samba, or at least the sambaSamAccount
> >objectclass. This will work if you already have a posixAccount
> >objectclass. It will generate the SID based upon the domain SID and the
> >uidNumber/gidNumber.
> >
> >
> >
> >>I may have messed this up. What I want to do is set up the second 2 servers as
> >>member servers in the domain, and put user accounts with home directories on them.
> >>User uses LDAP to authenticate to member server. So far I can create an account
> >>and login in but I am unsure if I m using the SID for the user correctly.
> >>
> >>
> >
> >Let Samba set the SID.
> >
> >
> >
> >>What is a recommended for master slave LDAP servers that are used primarily for
> >>authentication to Samba servers. Should I set up a slave LDAP server for the
> >>member servers? These member servers would be located in separate buildings. The
> >>main server has about 1000 user accounts, and member servers about 120 each when
> >>finished.
> >>
> >>
> >
> >Eh? User accounts exist in the SAM, in this case LDAP - everywhere.
> >Slaves are just replicas of the master for redundancy and performance.
> >
> >
> >
> >> At any one time I anticipate 20-30% will be logged in during peak hours.
> >>
> >>Any help that anyone can give me on this I'd appreciate. This is a fairly large
> >>installation that eventually will span 8 building each with there own Samba server
> >>but authenticating to a single OpenLDAP directory.
> >>
> >>
> >
> >Make a master LDAP on the PDC, load all the users.
> >Join the member servers to the domain.
> >Create LDAP replicas on several/all member servers.
> >Setup NSS on the member servers to use their local/near-by LDAP replica.
> >
> >
>
> From what it sounds like you want to span the load of the PDC to
> mahines that will be in each building. In this case the samba server in
> each building should not be member servers. They should instead be a
> BDC. Each machine should me using a replica LDAP server and have samba
> configured as a BDC. As mentioned by Adam Williams you will need each
> of the BDC machines using NSS setup to use the LDAP replicas.
>
> To setup the BDC the Samba 3 HowTo Collection gives all the information
> you should need. This is what I used and everything seems to be working
> here.
>
> Partick
--
Kent L. Nasveschuk <[EMAIL PROTECTED]>
--
To unsubscribe from this list go to the following URL and read the
instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] Samba LDAP multiple servers
Here's my question: I have 1 Samba 3.0 server with LDAP 2.1.23 running on backend from the same machine. These are both RedHat 8.0. I have 2 other servers I would like to use the same LDAP directory. I used net join to join the servers to the domain. Prior to joining the domain the the servers had no SID. After using net join they got a new SID (net getlocalsid). In the LDAP directory what SID base should be attached to users and computers that I add? The original Domain SID? I may have messed this up. What I want to do is set up the second 2 servers as member servers in the domain, and put user accounts with home directories on them. User uses LDAP to authenticate to member server. So far I can create an account and login in but I am unsure if I m using the SID for the user correctly. What is a recommended for master slave LDAP servers that are used primarily for authentication to Samba servers. Should I set up a slave LDAP server for the member servers? These member servers would be located in separate buildings. The main server has about 1000 user accounts, and member servers about 120 each when finished. At any one time I anticipate 20-30% will be logged in during peak hours. Any help that anyone can give me on this I'd appreciate. This is a fairly large installation that eventually will span 8 building each with there own Samba server but authenticating to a single OpenLDAP directory. -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Join Machine to Domain
Hey, Thanks for getting back to me. I could not put this down till I knew why things weren't working.I finally succeded in making everyting work and finding out why I had problems. I couldn't make it work with administrator. As soon as I deleted the administrator user and replaced user with root, Wah lah! I can join workstations. I removed username map from smb.conf. I also had a very strange error message that I have discovered is caused by some keys in the workstation registry that I changed. These are keys that are reported to need to be changed in XP and not W2K. The learning curve for this is high. I learned a great deal about Samba and LDAP but both packages are slick and work together quite well. All the time I've spent on this has been well worth it. Thanks for your help. Kent N On Mon, 2003-11-17 at 09:27, [EMAIL PROTECTED] wrote: > > > Hi, > > I forgot to tell you, that the samba password from the > uid=Administrator,ou=Users,dc=tow,dc=net MUST be the same like the samba > password for root . > Because samba will expect both the client and the server user to have the > same password. After that the option "username map" will work correctly. > > > > Regards > > Manuel Piessnegger > > > > > "Kent L. > Nasveschuk" > <[EMAIL PROTECTED] To > .ma.us> [EMAIL PROTECTED] > cc > 14.11.2003 17:44 Samba List Server ><[EMAIL PROTECTED]> >Subject >Re: [Samba] Join Machine to Domain > > > > > > > > > > > I appreciate your help on this. I still am having problems. Attached a > some of the pertinent configuration files. > > I can login in with any account so connection and password to access > ldap server works, just can't join domain. I get an error message bad > passwd or unknown user. I added the username map but root = > administrator still doesn't work. > > # Administrator, Users, tow.net > dn: uid=Administrator,ou=Users,dc=tow,dc=net > cn: Administrator > sn: Administrator > objectClass: inetOrgPerson > objectClass: sambaSAMAccount > objectClass: posixAccount > gidNumber: 0 > uid: Administrator > uidNumber: 0 > homeDirectory: /accounts/Administrator > sambaPwdLastSet: 1068814077 > sambaLogonTime: 0 > sambaLogoffTime: 2147483647 > sambaKickoffTime: 2147483647 > sambaPwdCanChange: 1068814077 > sambaPwdMustChange: 2147483647 > sambaHomePath: \\whs1\Administrator > sambaHomeDrive: H: > sambaProfilePath: \\whs1\profiles\ > sambaLMPassword: E3B4E05BE6A182C9E13B8E8F6853DCAC > sambaNTPassword: F4858C7E53BB628AE91E00E9DB6CD467 > sambaAcctFlags: [U ] > sambaSID: S-1-5-21-1129281578-1295143107-3311307472-1000 > loginShell: /bin/bash > gecos: Netbios Domain Administrator > sambaPrimaryGroupSID: S-1-5-21-1129281578-1295143107-3311307472-1001 > userPassword:: e1NNRDV9ZGpiNFo3ODQ3VFlKYWJYZEM5ZGRtSkFpMklzPQ== > > > > smb.conf: > > > [global] > workgroup = WarehamPS > encrypt passwords = Yes > time server = Yes > socket options = TCP_NODELAY > security = user > logon script = netlogon.bat > writable = Yes > dns proxy = no > directory mask = 02770 > preferred master = yes > netbios name = WHS1 > server string = RedHat 8.0 LDAP Server > passdb backend = ldapsam > ldap passwd sync = Yes > passwd program = /usr/local/samba/bin/smbpasswd %u >passwd chat = *Enter\snew\sUNIX\spassword:* %n\n > *Retype\snew\sUnix\spassword:* %n\n > log file = /var/log/samba.%m > debug level = 2 > max log size = 50 > add user script = /usr/local/sbin/smbldap-useradd.pl %u > #de
[Samba] Login after join domain fails
Hello, Samba 3.0.0/LDAP 2.1.23 RedHat 8.0 After wrestling with the probelem of attempting to join a W2K computer to domain I finally succeded only to run into another problem. First I was not able to use user "administrator" as samba admin alias root to join computers to domain.I needed to create user "root" in LDAP with: uid=root uidNumber=0 gidNumber=0 sambaSID=S-1...1000 sambaPrimaryGroup=S-1...1001 Then I was able to join to domain. When I reboot I get an error message when trying to login: error 3221356590 I can't login with any account, same message. An account must be used, I'm assuming "nobody", through the network to create authentication tokens so that any user that logs in with a valid login name in LDAP will be able to login on this machine.The machine must authenticate first prior to the user. Anyone have this problem before. Could use some insite into where to look to fix this problem. -- Kent [EMAIL PROTECTED] [EMAIL PROTECTED] W 508 291-3510 X122 C 508 317-2755 Tips:--> "OpenOffice.org ... Stops Word macro viruses DEAD!" "Postgresql.org ... Don't 'kill -9' the postmaster" "Technology is legislation - C. Einfeldt on OO.o discuss list" -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Join Machine to Domain
I appreciate your help on this. I still am having problems. Attached a some of the pertinent configuration files. I can login in with any account so connection and password to access ldap server works, just can't join domain. I get an error message bad passwd or unknown user. I added the username map but root = administrator still doesn't work. # Administrator, Users, tow.net dn: uid=Administrator,ou=Users,dc=tow,dc=net cn: Administrator sn: Administrator objectClass: inetOrgPerson objectClass: sambaSAMAccount objectClass: posixAccount gidNumber: 0 uid: Administrator uidNumber: 0 homeDirectory: /accounts/Administrator sambaPwdLastSet: 1068814077 sambaLogonTime: 0 sambaLogoffTime: 2147483647 sambaKickoffTime: 2147483647 sambaPwdCanChange: 1068814077 sambaPwdMustChange: 2147483647 sambaHomePath: \\whs1\Administrator sambaHomeDrive: H: sambaProfilePath: \\whs1\profiles\ sambaLMPassword: E3B4E05BE6A182C9E13B8E8F6853DCAC sambaNTPassword: F4858C7E53BB628AE91E00E9DB6CD467 sambaAcctFlags: [U ] sambaSID: S-1-5-21-1129281578-1295143107-3311307472-1000 loginShell: /bin/bash gecos: Netbios Domain Administrator sambaPrimaryGroupSID: S-1-5-21-1129281578-1295143107-3311307472-1001 userPassword:: e1NNRDV9ZGpiNFo3ODQ3VFlKYWJYZEM5ZGRtSkFpMklzPQ== smb.conf: [global] workgroup = WarehamPS encrypt passwords = Yes time server = Yes socket options = TCP_NODELAY security = user logon script = netlogon.bat writable = Yes dns proxy = no directory mask = 02770 preferred master = yes netbios name = WHS1 server string = RedHat 8.0 LDAP Server passdb backend = ldapsam ldap passwd sync = Yes passwd program = /usr/local/samba/bin/smbpasswd %u passwd chat = *Enter\snew\sUNIX\spassword:* %n\n *Retype\snew\sUnix\spassword:* %n\n log file = /var/log/samba.%m debug level = 2 max log size = 50 add user script = /usr/local/sbin/smbldap-useradd.pl %u #delete user script = /usr/local/sbin/smbldap-useradd.pl #add group script = /usr/local/sbin/smbldap-groupadd.pl delete group script = /usr/local/sbin/smbldap-groupdel.pl add machine script = /usr/local/samba/bin/smbpasswd -a -m %u #add machine script = /usr/sbin/useradd -d /dev/null -g 502 -s /bin/false -M %u logon script = netlogon.bat logon path = \\%N\profiles\%g logon drive = H: logon home = \\%L\%U domain logons = Yes os level = 64 domain master = Yes dns proxy = No admin users = @domain_admins # wins support = Yes ldap suffix = dc=tow,dc=net ldap machine suffix = ou=Computers ldap user suffix = ou=Users ldap group suffix = ou=Groups ldap admin dn = cn=admin,dc=tow,dc=net ldap ssl = no username map = /usr/local/samba/private/smbusers [homes] comment = Home Directories read only = no browseable = no writable = yes path = %H # valid users = %S hide files = /.*/ [profiles] path = /accounts/profiles read only = no create mask = 0600 directory mask = 0700 [netlogon] comment = Netlogon share path = /usr/local/samba/netlogon locking = no browseable = no read only = yes write list = @domain_admins [staff] comment = Staff common path = /accounts/staff read list = @staff @techstaff write list = @staff @techstaff [programs] comment = Programs path = /accounts/programs [adm-pgms$] comment = Admin Programs path = /accounts/adm_pgms read list = @techstaff write list = @techstaff [images$] comment = Ghost image files path = /accounts/images write list = kent read list = @techstaff [printers] comment = All Printers path = /var/spool/samba read only = Yes printable = Yes browseable = No slapd.conf # $OpenLDAP: pkg/ldap/servers/slapd/slapd.conf,v 1.8.8.4 2000/08/26 17:06:18 kurt Exp $ include /usr/local/etc/openldap/schema/core.schema include /usr/local/etc/openldap/schema/cosine.schema include /usr/local/etc/openldap/schema/inetorgperson.schema include /usr/local/etc/openldap/schema/
[Samba] Stuck on joining W2K clients to domain Samba 3 LDAP 2.1.23
Not related to joining W2K clients to a domain but the "net" command refuses to work if there is a problem in smb.conf. Even if you run testparm and nothing is wrong. I don't kno if it's the order or whitespaces that causes it to not work. I"ve had to swap out smb.conf several times because I couldn't find the problem why the "net" command wouldn't run. I'm still trying to get Win2k clients to join a domain. from: http://www.unav.es/cti/ldap-smb/smb-ldap-3-howto.html Joining workstations (NT, W2K, XP) to the Samba domain Basically you need cover these steps to add (join) a windows NT/W2K/XP to the domain: in the PDC samba server create an account for the machine one entry in the /etc/passwd or equivalent (nsswitch...) for the machine_name$-ended one basic entry in the ldap previous to call to the smbpasswd one full entry in the ldapwithsmbpasswd -a -m $ in the MS workstation, if is a XP or W2K you need set in the registry: SignOrSeal to "0" in the MS workstation you need join to the domain ASAP via: NT control pannel-> Network |Identification | Domain/Change domain W2K/XP myPC-> System properties|Computer name| Domain/Change domain I manually created an account in /etc/passwd $ I'm using: add machine script = /usr/local/samba/bin/smbpasswd -a -m %u in smb.conf to create ldap account. The user I am logging in as in LDAP to create account is: uid=Administrator uidNumber=0 sambaSID=S-1...-1000 sambaPrimaryGroupSID=S-1...-512 I can connect as user Administrator get to home directory but can't add machine account. I get bad passwd or unknown username. Please help! -- Kent L. Nasveschuk <[EMAIL PROTECTED]> -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] Problem Samba 3.0 with net groupmap access LDAP 2.1.23
Hello,
I thought I had this all figured out but I don't. I have a RedHat 8
system using LDAP 2.1.23 as backend to Samba 3.0.0. I wasn't able to get
machines to join the domain so I used the debug option in slapd -d 10 to
see what Samba was sending the LDAP server.
It looked like it was resolving my admin to the guest account. I went
back to check groupmap list and got the following error messages:
[EMAIL PROTECTED] root]# /usr/local/samba/bin/net groupmap list
[2003/11/12 12:44:29, 0] passdb/pdb_ldap.c:ldapsam_setsamgrent(2048)
ldapsam_setsamgrent: LDAP search failed: No such object
[2003/11/12 12:44:29, 0]
passdb/pdb_ldap.c:ldapsam_enum_group_mapping(2113)
ldapsam_enum_group_mapping: Unable to open passdb
I cannot tell you how many times I've run accross this message. One time
an error in my smb.conf caused it. This time I don't know. I get this
error message whether I load a base tree or it is empty. There are only
2 other configuration files that
I'm sure someone has run accross this. Any suggestions I'm running low
on patience.
Another question..
To add a computer to a domain, realize that to store the admin password
for Samba to use for this I need to run smppasswd -w . There are
different options in slapd.conf for encrypting the root user password.
What do I use? Nothing, {SSHA} {CRYPT} ..I may have a GCE (gross
conceptual error) about how this password is accessed. Help!
--
Kent L. Nasveschuk <[EMAIL PROTECTED]>
--
To unsubscribe from this list go to the following URL and read the
instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] Re: novice level question
I can't speak about whether or not this is a good practice, but I recently removed an intermediate organization from my LDAP tree. It was great as a logical entity but in practice it added an another layer to an already complex structure. I've had a great deal of experience with Novell that allows many layers to a directory structure through NDS. It can become very confusing to the average user about where they reside in the directory structure. Keep it as simple as possible. On Mon, 2003-11-10 at 17:11, Shekhar Ayyappan wrote: > Guys, > > I have recently been playing around with directory servers. > > My quick question of the day is as follows. > > I have a directory installed whose root points to o=xyz > > > > So for a user the dn is > > > > cn=user1,ou=users,o=xyz > > > > is this a good practice??? Is it ok to omit the c=nz??? > > I am not goin to hook my directory onto the internet, this is for my > private disposal.. > > Any thoughts guys??? > > > > Cheers and thnx in advance. > > shekhar > > > > __ > This email message and attachments are confidential to our > organisation and subject to legal privilege. If you have received > this email in error, please advise the sender immediately and destroy > the message and any attachments. If you are not the intended recipient > you are notified that any use, distribution, amendment, copying or any > action taken or omitted to be taken in reliance of this message or > attachments is prohibited. You can read our Privacy Policy here: > www.asbbank.co.nz/privacystatement.stm > __ -- Kent [EMAIL PROTECTED] [EMAIL PROTECTED] W 508 291-3510 X122 C 508 317-2755 Tips:--> "OpenOffice.org ... Stops Word macro viruses DEAD!" "Postgresql.org ... Don't 'kill -9' the postmaster" "Technology is legislation - C. Einfeldt on OO.o discuss list" -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] Samba 3.0 - LDAP create machine account fails
Hello, It's me again. I'm running Samba 3.0 and LDAP 2.1.23 on a RedHat 8.0 system. I am able to browse shares and home directories. I get a: Logon failure: unknown username or bad password when I try to connect a W2k machine. For Win/95/98 the system already works. I believe it is setup OK I need to work on scripts that work with MMC. I just want a basic connect a w2k machine right now. Output from /usr/local/samba/bin/net groupmap list [EMAIL PROTECTED]'s password: Last login: Mon Nov 10 08:10:41 2003 from 172.16.1.246 [EMAIL PROTECTED] root]# /usr/local/samba/bin/net groupmap list domain_users (S-1-5-21-1129281578-1295143107-3311307472-513) -> dusers domain_guests (S-1-5-21-1129281578-1295143107-3311307472-514) -> nobody domain_admins (S-1-5-21-1129281578-1295143107-3311307472-512) -> root administrators (S-1-5-32-544) -> 544 users (S-1-5-21-1129281578-1295143107-3311307472-545) -> users guests (S-1-5-21-1129281578-1295143107-3311307472-546) -> nobody power_users (S-1-5-21-1129281578-1295143107-3311307472-547) -> 547 account_operators (S-1-5-32-548) -> 548 server_operators (S-1-5-32-549) -> sys print_operators (S-1-5-32-550) -> lp backup_operators (S-1-5-32-551) -> bin replicator (S-1-5-21-1129281578-1295143107-3311307472-552) -> daemon computers (S-1-5-21-1129281578-1295143107-3311307472-515) -> dcomputers Enterprise Admins (S-1-5-21-1129281578-1295143107-3311307472-519) -> 519 [EMAIL PROTECTED] root]# output ldap search =>cn=domain_admins [EMAIL PROTECTED] root]# ldapsearch -xv -b "dc=tow,dc=net" cn=domain_admins ldap_initialize( ) filter: cn=domain_admins requesting: ALL # extended LDIF # # LDAPv3 # base with scope sub # filter: cn=domain_admins # requesting: ALL # # domain_admins, Groups, tow.net dn: cn=domain_admins,ou=Groups,dc=tow,dc=net objectClass: posixGroup objectClass: sambaGroupMapping sambaSID: S-1-5-21-1129281578-1295143107-3311307472-512 gidNumber: 0 cn: domain_admins memberUid: Administrator,kent description: Netbios Domain Administrators sambaGroupType: 2 # search result search: 2 result: 0 Success # numResponses: 2 # numEntries: 1 smb.conf [EMAIL PROTECTED] root]# cat /usr/local/samba/lib/smb.conf # Samba config file created using SWAT # from 172.16.1.246 (172.16.1.246) # Date: 2003/11/04 16:29:07 # Global parameters [global] workgroup = WarehamPS netbios name = WHS1 server string = RedHat 8.0 LDAP Server passdb backend = ldapsam passwd program = /usr/local/sbin/smbldap-passwd.pl log file = /var/log/samba.%m max log size = 50 time server = Yes passwd chat = *Enter\snew\sUNIX\spassword:* %n\n *Retype\snew\sUnix\spassword:* %n\n # unix password sync = Yes # add user script = /usr/local/sbin/smbldap-useradd.pl -w -d /dev/null -c 'Machine Account' -s /bin/False # delete user script = /usr/local/sbin/smbldap-userdel.pl # add group script = /usr/local/sbin/smbldap-groupadd.pl # delete group script = /usr/local/sbin/smbldap-groupdel.pl add machine script = /usr/local/sbin/smbldap-useradd.pl -w -g "domain_computer" -d /dev/null -c "Machine Account" -s /bin/false %u$ add user script = /usr/sbin/useradd -m -d /accounts/"%u" -g 500 %u delete user script = /usr/sbin/userdel -r %u add group script = /usr/sbin/groupadd %g delete group script = /usr/sbin/groudadd %g add user to group script = /usr/sbin/usermod -G %g %u # add machine script = /usr/sbin/useradd -s /bin/false -g 502 -d /dev/null %u$ logon script = netlogon.bat logon home = \\%L\%U domain logons = Yes os level = 64 domain master = Yes dns proxy = No ldap suffix = dc=tow,dc=net ldap machine suffix = ou=Computers ldap user suffix = ou=Users ldap group suffix = ou=Groups ldap admin dn = cn=admin,dc=tow,dc=net admin users = @domain_admins ldap ssl = no read only = No create mask = 02770 directory mask = 02770 [homes] comment = Home Directories path = %H hide files = /.*/ browseable = No [netlogon] comment = Network Logon Service path = /usr/local/samba/netlogon read only = Yes hide files = /.*/*.bat/*.dll/200*/ browseable = No [profiles] comment = Domain User Profiles path = /accounts/profiles read only = No browseable = No [staff] comment = Staff common path = /accounts/staff [images] comment = Ghost image files path = /accounts/images [printers] comment = All Printers path = /var/spool/samba read only = Yes printable = Yes browseable = No I've also added the appropriate password to secrets.tdb by: smbpasswd -w slapd.conf [EMAIL PROTEC
[Samba] smb.conf problems causes net groupmap to fail
Hello, I just thought I would post this since it may be helpful to others if they run into the same issues I did. I am using Samba 3.0 with openLDAP 2.1.23 as backend db on a Slackware 9 system. This is purely a test system that I need to test at home reliably enough to put into production in a school system. I was getting error messages when I went to run samba/bin/net commands. Couldn't figure it out until now. If you have a problem in your smb.conf when you try to run samba/bin/net commands like groupmap list, you get error messages. My guess and the developers can probably elaborate on this, net command reads the smb.conf whether or not the daemons smbd or nmbd is running. Errors in the config file will cause the net commands to fail. It took me a long time to experiment and find this out but I thought I should pass it on. -- Kent [EMAIL PROTECTED] [EMAIL PROTECTED] W 508 291-3510 X122 C 508 317-2755 Tips:--> "OpenOffice.org ... Stops Word macro viruses DEAD!" "Postgresql.org ... Don't 'kill -9' the postmaster" "Technology is legislation - C. Einfeldt on OO.o discuss list" -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: Réf. : [Samba] Net groupmap fails
Did run a lower debug level -d 2 which gave me a clue that there was no objectclass sambaGroupMapping. Kent On Fri, 2003-11-07 at 11:09, Gerald (Jerry) Carter wrote: > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA1 > > John H Terpstra wrote: > > |>Should work as far as I can tell. try running > |> > |>~ net groupmap add ntgroup="Domain Admins" \ > |>~ unixgroup="Domain Admins" rid=512 --debuglevel=10 > |> > |>and see if you get any clues. > | > | > | Hint: Make sure that you have all your "add scripts" > | in place. Also, make sure that these scripts can handle > | object names that have > upper case characters and/or > | spaces in them. > > Does matter here. net group map doesn't run them > for you anyways. And in this case the group already > existed. > > | PS: groupadd does NOT permit spaces or upper case > | characters in a group name. > > In the unix group name? or the nt group name? > I know the ntgroup name is fine. If the unix group > name won't accept spaces, then this is a bug. > (which is why I asked for a log to start with). > > > > > ciao, jerry > - -- > ~ -- > ~ Hewlett-Packard- http://www.hp.com > ~ SAMBA Team -- http://www.samba.org > ~ GnuPG Key http://www.plainjoe.org/gpg_public.asc > ~ "If we're adding to the noise, turn off this song" --Switchfoot (2003) > -BEGIN PGP SIGNATURE- > Version: GnuPG v1.2.1 (GNU/Linux) > Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org > > iD8DBQE/q8OvIR7qMdg1EfYRAsyGAKDtVsl4h/vIi+E1ZuMjuV368esfwwCgxZ8W > gDyTYIou+TeI+46od+gdbxU= > =YkeB > -END PGP SIGNATURE- -- Kent L. Nasveschuk <[EMAIL PROTECTED]> -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: Réf. : [Samba] Net groupmap fails
When I ran smbldap_populate.pl the objectclass sambaGroupMapping was not present.I don't know if it is supposed to be created or not but when I used ldapmodify with and a file that contained: dn: cn=Domain Admins,ou=Groups,o=30GreatNeck,dc=home,dc=net add: objectclass objectclass: sambaGroupMapping sambaSID: S-1-5-21-739112995-4084651483-89095900-512 sambaGroupType: 2 Now when I run net groupmap list I get Domain Admins (S-1-5-21...512) => 512 Guess I will have to do that with all of the groups created by smbldap-populate.pl. found at archive: http://www.mail-archive.com/[EMAIL PROTECTED]/msg21134.html Am I doing this right? On Fri, 2003-11-07 at 10:31, Gerald (Jerry) Carter wrote: > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA1 > > Kent L. Nasveschuk wrote: > > | [EMAIL PROTECTED]:~# /usr/local/samba/bin/net groupmap add ntgroup="Domain > | Admins" unixgroup="Domain Admins" rid=512 > | Can't lookup UNIX group Domain Admins > | > | Is there something with initial compiling samba 3.0.0 that would disable > | this? All the documentation that I've seen makes it look so easy, but I > | can't get it to work. > > Should work as far as I can tell. try running > > ~ net groupmap add ntgroup="Domain Admins" \ > ~ unixgroup="Domain Admins" rid=512 --debuglevel=10 > > and see if you get any clues. > > > > cheers, jerry > - -- > ~ -- > ~ Hewlett-Packard- http://www.hp.com > ~ SAMBA Team -- http://www.samba.org > ~ GnuPG Key http://www.plainjoe.org/gpg_public.asc > ~ "You can never go home again, Oatman, but I guess you can shop there." > ~--John Cusack - "Grosse Point Blank" (1997) > > -BEGIN PGP SIGNATURE- > Version: GnuPG v1.2.1 (GNU/Linux) > Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org > > iD8DBQE/q7rgIR7qMdg1EfYRApNLAJ9Vl+zRDF6dcF/ILcLBXx1KUyEniQCg2jm8 > awcVVG2Haash31wV5FKIRvo= > =AzvU > -END PGP SIGNATURE- -- Kent L. Nasveschuk <[EMAIL PROTECTED]> -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: Réf. : [Samba] Net groupmap fails
Stephanie, Thank you for your help. I tryed what you suggest but no luck.. I get this: [EMAIL PROTECTED]:~# /usr/local/samba/bin/net groupmap add ntgroup="Domain Admins" unixgroup="Domain Admins" rid=512 Can't lookup UNIX group Domain Admins Is there something with initial compiling samba 3.0.0 that would disable this? All the documentation that I've seen makes it look so easy, but I can't get it to work. On Fri, 2003-11-07 at 06:48, [EMAIL PROTECTED] wrote: > try /usr/local/samba/bin/net groupmap add ntgroup="Domain > Admins" unixgroup="Domain Admins" rid=512 > > dn: cn=Domain Admins,ou=Groups,o=30GreatNeck,dc=home,dc=net > objectClass: posixGroup > > This group is the unix group. > > --- > StÃphane PURNELLE [EMAIL PROTECTED] > Service Informatique Corman S.A. Tel : 00 32 087/342467 > > > > > "Kent L. Nasveschuk" <[EMAIL PROTECTED]> > > Envoyà par : Pour : > Samba List Server <[EMAIL PROTECTED]> > [EMAIL PROTECTED]cc : > > .samba.org Objet : >[Samba] Net groupmap fails > > > > > 07/11/2003 12:31 > > > > > > > > > > I have yet to get group mapping to work in samba 3.0. Getting very > frustrated. > > I'm using openldap 2.1.23 as the backend database for samba 3.0.0. I've > added the base domain groups as posixAccounts to the LDAP database using > smbldap-populate.pl. > > [EMAIL PROTECTED]:/usr/local/etc/openldap# ldapsearch -xv -b > "o=30greatneck,dc=home,dc=net" > > # Administrator, Users, 30GreatNeck, home.net > dn: uid=Administrator,ou=Users,o=30GreatNeck,dc=home,dc=net > cn: Administrator > sn: Administrator > objectClass: inetOrgPerson > objectClass: sambaSAMAccount > objectClass: posixAccount > gidNumber: 512 > uid: Administrator > uidNumber: 998 > homeDirectory: /accounts > sambaPwdLastSet: 0 > sambaLogonTime: 0 > sambaLogoffTime: 2147483647 > sambaKickoffTime: 2147483647 > sambaPwdCanChange: 0 > sambaPwdMustChange: 2147483647 > sambaHomePath: \\Lnxsrv2\accounts > sambaHomeDrive: H: > sambaProfilePath: \\Lnxsrv2\profiles\ > sambaPrimaryGroupSID: S-1-5-21-739112995-4084651483-89095900-512 > sambaLMPassword: XXX > sambaNTPassword: XXX > sambaAcctFlags: [U ] > sambaSID: S-1-5-21-739112995-4084651483-89095900-2996 > loginShell: /bin/false > gecos: Netbios Domain Administrator > > > # nobody, Users, 30GreatNeck, home.net > dn: uid=nobody,ou=Users,o=30GreatNeck,dc=home,dc=net > cn: nobody > sn: nobody > objectClass: inetOrgPerson > objectClass: sambaSAMAccount > objectClass: posixAccount > gidNumber: 514 > uid: nobody > uidNumber: 999 > homeDirectory: /dev/null > sambaPwdLastSet: 0 > sambaLogonTime: 0 > sambaLogoffTime: 2147483647 > sambaKickoffTime: 2147483647 > sambaPwdCanChange: 0 > sambaPwdMustChange: 2147483647 > sambaHomePath: \\Lnxsrv2\accounts > sambaHomeDrive: H: > sambaProfilePath: \\Lnxsrv2\profiles\ > sambaPrimaryGroupSID: S-1-5-21-739112995-4084651483-89095900-514 > sambaLMPassword: NO PASSWORDX > sambaNTPassword: NO PASSWORDX > sambaAcctFlags: [NU ] > sambaSID: S-1-5-21-739112995-4084651483-89095900-2998 > loginShell: /bin/false > > # Domain Admins, Groups, 30GreatNeck, home.net > > # Domain Admins, Groups, 30GreatNeck, home.net > dn: cn=Domain Admins,ou=Groups,o=30Gr
