Re: [Samba] Login time logging?
On Fri, 2004-01-30 at 23:49, Remco Barendse wrote: Hi all! I need a setup that will log exactly when a user has logged in or out of samba. Preferably I would like to have a separate list per user, but this can also be achieved with grep. I found some solutions that rely on login script processing which is nice if your clients are running Win95/Win98 but for anything else it won't work. Anybody know of a solution? Many people enable utmp support on the server for this. I have in [netlogon] a root preexec = /usr/local/samba/bin/netlogon-preexec.sh %u %I %m %T shell-script which does: #!/bin/sh #Parameters: #1.: user, %u #2.: Client-IP, %I #3.: NetBIOS Machine name, %m #4/5.: Timestamp, %T #6.: Group, %g #4/5 (Timestamp) are no longer used /samba/netlogon/generateLoginBatch $1 $2 $3 echo insert into logins (user, host, ip, date, time) values ('$1', '$3', '$2', curdate(), curtime() ); | /usr/bin/mysql -u mysqlUser sambaLogins Windows does (AFAIK) not have the concept of logout-scripts, so you'll never know when people log out. When I have spare time I sometimes generate a little machine-usage report from that data. -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] smbpasswd -a -m machine fails: Failed to modify password entry
Hi, i try to create a new machine account, like i always did, but haven't done since 3.x. My backend is ldap: passdb backend = ldapsam:ldap://fileserver idmap backend = ldapsam:ldap://fileserver As root I do the following: smbpasswd -D 10 -a -m admeta - Netbios name list:- my_netbios_names[0]=FILESERVER tdb(unnamed): tdb_brlock failed (fd=3) at offset 4 rw_type=1 lck_type=13: Resource temporarily unavailable Trying to load: ldapsam:ldap://fileserver Attempting to register passdb backend ldapsam Successfully added passdb backend 'ldapsam' Attempting to register passdb backend ldapsam_compat Successfully added passdb backend 'ldapsam_compat' Attempting to register passdb backend smbpasswd Successfully added passdb backend 'smbpasswd' Attempting to register passdb backend tdbsam Successfully added passdb backend 'tdbsam' Attempting to register passdb backend guest Successfully added passdb backend 'guest' Attempting to find an passdb backend to match ldapsam:ldap://fileserver (ldapsam) Found pdb backend ldapsam Searching for:[((objectClass=sambaDomain)(sambaDomainName=BBS1_EMDEN))] smbldap_search_suffix: searching for:[((objectClass=sambaDomain)(sambaDomainName=BBS1_EMDEN))] smbldap_open_connection: ldap://fileserver smbldap_open_connection: connection opened ldap_connect_system: Binding to ldap server ldap://fileserver as cn=root,dc=bbs1-emden,dc=schule ldap_connect_system: succesful connection to the LDAP server The LDAP server is succesful connected pdb backend ldapsam:ldap://fileserver has a valid init Attempting to find an passdb backend to match guest (guest) Found pdb backend guest pdb backend guest has a valid init smbldap_search_suffix: searching for:[((uid=admeta$)(objectclass=sambaSamAccount))] ldapsam_getsampwnam: Unable to locate user [admeta$] count=0 Finding user admeta$ Trying _Get_Pwnam(), username as lowercase is admeta$ Trying _Get_Pwnam(), username as uppercase is ADMETA$ Checking combinations of 0 uppercase letters in admeta$ Get_Pwnam_internals didn't find user [admeta$]! Failed to initialise SAM_ACCOUNT for user admeta$. Failed to modify password entry for user admeta$ What do I do wrong? ldapsearch -x -D ADMIN-DN -w secret uid=admeta* says: dn: uid=admeta$,ou=hardware,dc=bbs1-emden,dc=schule objectClass: posixAccount objectClass: account cn: admeta$ uid: admeta$ uidNumber: 10090 gidNumber: 502 homeDirectory: /home/admeta loginShell: /bin/false description: machine l: ver userPassword:: e1NNRDV9VnFXV0F0Z2JBKzVyYTFLN2VwVzVIOGlUM3h3PQ== The machine is in group ou=hardware. My /etc/ldap.conf is: URI ldap://localhost:389/ BASEdc=bbs1-emden,dc=schule pam_filter objectclass=posixAccount pam_login_attribute uid nss_base_passwd ou=accounts,dc=bbs1-emden,dc=schule?one nss_base_group ou=groups,dc=bbs1-emden,dc=schule?one My smb.conf is: [global] workgroup = BBS1_EMDEN passdb backend = ldapsam:ldap://fileserver idmap backend = ldapsam:ldap://fileserver ldap suffix = dc=bbs1-emden,dc=schule ldap user suffix = ou=accounts ldap group suffix = ou=groups ldap machine suffix = ou=hardware ldap idmap suffix = ou=idmap idmap uid = 4-6 idmap gid = 4-6 ldap admin dn = cn=root,dc=bbs1-emden,dc=schule ldap ssl = off I tried various things, but I simply have no idea what might be wrong. (tried cn=admeta$, copied uid=admeta$ to ou=accounts = duplicate entries) Has anybody any idea? Thanks, Malte Mueller -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Question about groups in ldap
Am Fr, 2003-12-12 um 15.29 schrieb Gerald (Jerry) Carter: Tilo Lutz wrote: | In Samba-Developers-Guide.pdf included with samba 3.0 | page 72f. In the document well known groups have | special names starting with DOMAIN_. Can Windows clients | recognize these names and translate them into localized | groupnames, like user or power users in english and | Benutzer and Hauptbenutzer in german? That reference in the PDF file is a #define for the well known rids. You can setup a group mapping entry using whatever name you wish. How does MS handle this? If I have an english server with the well known group users and a german client. Will the groupname translated into Benutzer? If I got it right, the name doesn't matter much. Important is the rid. The name shown is the one you gave the group but it is handled according to it's rid. mamue -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] SAMBA Groups and Permissions
I am not shure if i got you right. You do not tell us the access rights of the directory concerned. If you'r primary uninx group is user and your dir. has: drwx---rwx root user board they forbid your access. then you are not allowed to access, because group rights match first and If you weren't user but world, then you would be allowed. This has nothing to do with samba. You might want to change the group to nogroup and work with acls (if ext3, XFS and alike). Or if you have plenty of CPU-cycles to waste you might work with valid users in smb.conf. But i'm not a security or filesystem-expert and may be completely wrong. Kind regards, Malte Müller hi i have a user ~# id test_user uid=500,gid=500 (users),groups (users,kids) as you can see, this user is in primary group users and also member of group kids if he tries to access /home/board via smb (Samba 3.0 + openldap) from a windows client (XP), he fails, because his sambaPrimaryGroupSID maps to - users and /home/board is not accessible for group users - just for kids if i add valid users = @kids to /home/board - share, access is granted isn't it possible in samba, that the user test_user gets an attribute like sambaSecondaryGroup in ldap so that samba knows: this user is in group users AND kids, so i have to try connections to share /home/board as group users AND kids ??? if i login locally to the samba PDC with a console as test_user, access to /home/board is granted, 'cause i'm member of kids so there's no permission problem please help me !!! greez -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Samba Import User Scipt
ich would like to use the Samba-Server as an PDC for a school. Because of the high numbers of students it is not possible for us to add ervery student by hand an think about a pw. Has anyone designed a script which read the users from an ASCII-file and add's them to the samba? Regards, Michael Lechner I have for the same purpose created two little perl-scripts which read from standard in. The first creates accounts for pupils, the other for teacher. I create 40 accounts per class: #! /usr/bin/perl open( PASSWD, ./passwdGen.sh| ); $lastUID = 7976; @usersPre = STDIN; $lastUID++; foreach $userMark ( @usersPre ) { chop( $userMark ); for( $i=1; $i = 40; $i++ ) { print dn: cn=$userMark-$i,dc=my-org,dc=schule\n; #print dn: cn=$userMark-03-$i,dc=my-org,dc=schule\n; print objectclass: posixAccount\n; print objectclass: account\n; print objectclass: mailRecipient\n; print cn: $userMark-$i\n; #print cn: $userMark-03-$i\n; print uid: $userMark-$i\n; #print uid: $userMark-03-$i\n; print uidNumber: $lastUID\n; print gidNumber: 500\n; print homeDirectory: /home/schueler/$userMark-$i\n; print loginShell: /bin/false\n; print mail: [EMAIL PROTECTED]; print mailLocalAddress: [EMAIL PROTECTED]; print mailDeliveryOption: accept\n; print description: schueler\n; print \n; $lastUID++; } } Creating the teacher-accounts is nearly the same, except for the gid and the for-loop. It creates the ldif, so I can just have a quick look at it, befor I ldapadd it. After the entries are added, I add the sambaSamAccount: #! /usr/bin/perl open( PASSWD, /root/createUser/passwdGen.sh| ); @usersPre = STDIN; foreach $userMark ( @usersPre ) { chop( $userMark ); for( $i=1; $i = 40; $i++ ) { open( PASSWD, ./passwdGen.sh| ); $pass = PASSWD; chop( $pass ); print #\n; print #$userMark-03-$i \t \t $pass \n; print #\n; system( ldappasswd -D cn=root,dc=my-org,dc=schule -x -w \insecure-way!\ -s \$pass\ cn=$userMark-03-$i,dc=my-org,dc=schule ) die unexpected ldappasswd error; system( /opt/samba3/bin/smbpasswd -a $userMark-03-$i \$pass\ ) die unexpected smbpasswd error; system( /usr/local/samba/bin/pdbedit -u $userMark-03-$i -d P:) die unexpected pdbedit homedrive error; system( /usr/local/samba/bin/pdbedit -u $userMark-03-$i -h fileserver\\$userMark-03-$i ) die unexpected pdbedit homedir error; system( mkdir /home/schueler/$userMark-03-$i ) die unexpected mkdir error; system( chown $userMark-03-$i /home/schueler/$userMark-03-$i ) die unexpected chown error; system( chgrp lehrer /home/schueler/$userMark-03-$i ) die unexpected chgrp error; system( chmod 770 /home/schueler/$userMark-03-$i ) die unexpected chmod error; } } The passwdgen.sh is simply: #!/bin/bash /root/bin/apg -a 0 -M cn -E 0O1lI -n 1 -m 8 -x 8 which uses apg (Advanced Password Generator) to create somewhat secure passwords which are readable and easy to remember (I don't let the users change their passwords). Have fun, Malte Müller BBS1 Emden -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] PDC/BDC with ldap: variable possible in sambaProfilePath / sambaHomePath?
Hi, I have a working PDC and a BDC, both samba 3.0.1pre3 (better than ever). I have the master ldap on the PDC, BDC is slave. Thus, both directories are to be identical, I think. I have the sambaHomePath and the sambaProfilePath in every user entry, as I tried to balance profiles between two servers for the sake of some more network speed (100MBit each server). Now I came to a point where I found that some redundancy is better than speed ;-) and would like to asks others whether it is a foolish idea not to define the home and profile path in smb.conf or if the BDC should have it's own ldap source so entries differ. Comments welcome, Malte Mueller Maybe important: SuSE9, Openldap 2.1.12/2.1.22, ~1500 users, ~200PC (NT4/W2k). -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Samba-3.0.1pre1 and LDAP
Hi, from my experience, there are few possible reaseons, but none relates to samba. 1.: Check (loglevel 256 in slapd.conf) the search filters. Try to manually ldapsearch those to make really sure you have all necessary attributes indexed. If you think you have indexed them, but search is slow, try rebuilding the indices (slapindex). Don't make the same mistake i did and use the correct version of slapindex if you compiled your own. 2.: The use of valid users = @foo, @bah ... in smb.conf is nearly always not clever. 3.: you might want to try nscd to cache groups and user. 4.: Old OpenLDAP versions are IMHO slow (2.0.x), try 2.1 Have fun, Malte Mueller Hiya, I have recently upgrade samba to 3.0.1pre1 from alpha3-19. The upgrade went well with no real problems, except . I have noticed today that the load on the LDAP server is extremely high. CPU usage on slapd is anywhere between 10%-80%. At one point to day everything came to a grinding halt. The only difference between I can think of is the samba upgrade. This is with an average load of about 300 users. Can anyone think why samba is causing slapd to max out?? Cheers - Kristyan Osborne - IT Technician / Community Manager Longhill High School 01273 391672 / 304086 -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] problem with group mapping
Hi, I use now samba3.0.1pre1 with ldapsam (OpenLDAP 2.1.23). After I played with sambaGroupMapping I now get the error Message: Die angegebene Gruppe ist nicht vorhanden The given group does not exist when I log in (administrator). Admin's SID is: S-1-5-21-1091375802-1471697927-1951840895-500 Domain SID is: S-1-5-21-1091375802-1471697927-1951840895 The error occured after I created a administrators group in ldap with (first free) gid 3019 and SID S-1-5-21-1091375802-1471697927-1951840895-512 and added groupMapping to my susers (all samba users) with rid 513 and created for testing a group guest with no memberUIDs and rid 514. All groups had type 0 (zero). I removed all those groups, but the error remains. PDC and BDC have same Domain-SID. What did I do wrong, or what ist the correct way to do this? I especially don't know what to do with group guest - is this nobody or nogroup in unix? I read across the documentation but didn't find someting helpfull or did I read across some important points? Thanks in advance for any help, Malte Müller -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Suggestions for argument for Samba over Windows 2003?
Hi I'm currently running a RedHat 9 (which means Samba 2.2.7) on a DELL server. The hardware should be fine to handle the load for the whole school, which comprises about 200 - 250 users. (This server is currently controlling the Samba domain for one of the former schools). So, anyway, from my reading of the doco so far, it would seem that we could integrate the Unix box one of two ways: . Upgrade it to Samba 3, and have it join the Win 2003 domain. Since the only access we're supporting into the box is SMB, we don't need to worry about setting or syncing the Unix password. I still need some way to create the underlying unix account though, preferably with consistent, rather than randomly assigned uids/gids. I could use normal Unix commands to manually create the Unix accounts, but since I have previously set up an OpenLDAP box and made accounts on it for everyone, I could probably homebrew some sort of web-based makeuser script, and point NSS at it. . leave it on Samba 2.2.7, leave it off the whole domain thingo, set security=server and point the password server at one of the AD boxes, and touch wood. Even if we don't have 2 passwords and password syncing, we still have a small issue of having 2 sets of accounts, and needing to create/delete accounts in 2 places. If you were living in northern Germany, I would invite you to come to my site, so we could discuss that with a working setup at hands. I am running at this school a setup with a PDC (1GHz HP, 1GB RAM) and a BDC (similar, but P4) with a user base of about 7000. Only about 1500 are active users, as user-accounts are created by a perl script, 40 accounts per class. Every user has of course his/her own homedirectory and as far as I know, all users are more satisfied with this network as they were before (Netware, W2k Advanced Server). We had a license of w2k advanced server and I am glad that I never gave it a try, though I never had set up a samba-PDC before (I just told them it was no problem :-)) I am just about to switch completely to samba3.0.1pre1 (I know it's not for productive, but we don't produce here anything ;-) ) and it seems to be worth it for the smaller load concerning ldap. The CPU-load wasn't a problem, but I always had to have an eye on it, sometimes it was at 100%, as many users log in at the same moment in school-environments. In my Opinion masses of accounts are better handled by some scripts than by GUI and I find it easier to write those scripts on unix. Further more, OpenLDAP is better documented and more standard-conformant, its easier to extend it with my own schemas (For problem-reporting and management, login-script storage) plus standard schemas for mail-routing. Difficulties with samba will occour, but they do as well with Windows whatsoever, be it 2000, XP or 2003. Actually, few people here know that the servers are running Linux/Samba... Sincerely, Malte Müller -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Re: More than one logon script, can I have?
Hi ! On Thu, Sep 18, 2003 at 12:11:10PM +0200, [EMAIL PROTECTED] wrote: I create all logon script on the fly from ldap. I created a little schema with a script attribute and there I put all DOS-batch commands. At logon time (preexec in [netlogon]) for every user all script-parts for the groups the user belongs to, the room-script (rooms associate to IPs) for the printer connection and at last the script from the user-entry if there is any script attribute are taken from ldap. It doesn't take much CPU power and works since half a year without any faults. I anything does not work (Can't print!) I can still examine the batch-file. But which logon-parameters could be used at the logon. Do I get the full dn ? No. I use the %u, %I, %m %u is equal to uid, I map %I manually to the room. With the uid I get all groups the user belongs to and, if you wish, the branch, he is in. I tried perl for creating, but I switched very soon to C. Otherwise every logon would start the perl interpreter. My binary from C-source is just 12488 bytes. The source is a ugly mess, since I am a java programmer... but anyway, it works and I don't touch the source as long I can avoid it. Again: I got my private OID from IANA and invented my own schema. These objectClasses are added to every entry concerned (all posixGroup e.g.) Malte Müller -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
RE: [Samba] Re: More than one logon script, can I have?
You don't have to use a batch file for a logon script. You can use a Visual Basic script instead. You can use Select Case to have it do different things for different users. Interesting idea, but that would mean that all users would have access to the script and could see what others were getting couldn't they? The example in the manual with Perl making a script on the fly looks interesting though. I haven't read it through yet, busy busy :(. I create all logon script on the fly from ldap. I created a little schema with a script attribute and there I put all DOS-batch commands. At logon time (preexec in [netlogon]) for every user all script-parts for the groups the user belongs to, the room-script (rooms associate to IPs) for the printer connection and at last the script from the user-entry if there is any script attribute are taken from ldap. It doesn't take much CPU power and works since half a year without any faults. I anything does not work (Can't print!) I can still examine the batch-file. Just my 0,02 Malte Müller -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] PC loosing domain membership frequently
Hi, I'm new to this list. I tried to google and did a _bit_ of searching in teh archive but didn't find anything related to my problem. I use samba 2.2.8a as the PDC on SuSE-linux 8.0. I administrate 7 Rooms with 160 PC, mainly w2k-sp3 and some older with NT4-sp6. In two of seven rooms some PC loose their Domain-membership. I can bring them back into Domain, but they seem to loose it after a few days again. This sommer I updatet all w2k from SP0 (i.e. no ServicePack)to SP3 and installed some other software (mozilla etc). I made for each Room one Image and duplicated these to all other PC. Last year this worked without such faults (no SP, except NT4-sp6). In three out of five rooms I have no problems. In one room, all PC lost membership, but I did not have any problems again since I fixed it manually. This year I tried to bring the w2k-PC into Domain by using wsname, a tool which can change the workstation name without leaving the Domain (I have a little wsh-script which looks up the workstaion name in DNS and fixes the computer name). May that be the reason? I checked for duplicate RID and uidNumber in my ldap, but didn't find any duplicates. are there any other limitations relating to the uidNumber and rid, I should take care of? All PC are equipped with reborn-cards, that is, all lokal changes are undone at the next reboot (when not disabled). Could anyone give me any helpfull comment? Thanks a lot, Malte Mueller -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba