[Samba] Re: change ldap accounts to samba ldap accounts

[paul kölle]

James Tran wrote:
> Hi i've got a situation where i need to add samba support to every
> acccount in my ldap database.
> I already have an ldap database populated with a couple hundred users
> and need to be able to use the same password they use for their login as
> for their samba accounts.
> Is there anyway to add all the samba attributes to their ldap accounts
> and also migrate their passwords from the standard md5 unix passwords to
> sambaLM and sambaNT password like via script or something?
Yes and No. You can manually add the required attributes from
samba.schema with ldapmodify or something similar. You cannot convert
the md5 hash, hashes are one-way that's the point of having them.

> To make things short.
> I want all my existing ldap users to have a single password in ldap
> without having to do a "smbpasswd -a username" for every account
You need all three attributes (userPassword, sambaLM..., sambaNT...),
samba can update the unix password if users change the password from
windows clients (sync ldap password = yes, OTOH). If you don't want to
have new passwords you'd need access to the cleartext passwords or
require users to change their password and intercept this to get the pw...

cheers
 Paul

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

[Samba] Re: Slightly OT - Samba 3 and Windows DNS

[paul kölle]

Rogers, Paul wrote:
> Mogens
> 
> Thanks for the answer.  The problem that I have is with the Samba
> servers which have static IP's and so need some way of registering with
> the DNS server.  As I say the Windows servers seem to do it
> automatically but I need a method for the Linux servers to do it.
> 
> I thought of maybe doing something with PUMP but hoped some one else may
> already have solved the problem.
Windows has extended TSIG to be used with kerberos. Windows clients use
TSIG-GSS to update their records. Andrew Tridgell has written a tool to
update MS DNS from a linux host. You can find the tool here:
http://us1.samba.org/samba/ftp/tsig-gss/

Note: I've never used it myself.

cheers
 Paul

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

[Samba] Re: samba and kerberos doubt

[paul kölle]

Senthil wrote:
> in our lab we have a kerberos + ldap server to authenticate the  gnu/linux 
> users and we have configured samba to work as a PDC  authenticating the 
> windows users.
>   samba stores the password in encrypted format in  /etc/samba/smbpasswd.  
> The problem is when the password is changed  by windows users we need to 
> change the password of kerberos  credentials. Is there a way in samba in to 
> do that i.e to synchronise  the password change in kerberos and samba. We are 
> using samba 3.0.5 in  debian sarge system.
>   
>   
>   S.Senthil
Yes, but it's not straightforward. You can use openldap as a backend for
heimdal kerberos and use the smbk5pwd overlay to syncronize.

cheers
 Paul

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

[Samba] Re: SAMBA3 + LDAP

[paul kölle]

mallapadi niranjan wrote:
> Hi paul
> 
> Thanks for Guiding me  .
> 
> I am creating a PDC and 2 BDC's with samba3 with LDAP,
> 
> sorry if this is silly question, since i  am new, guide me
> 
> 1) what all default ACL's need to be written in slapd.conf
> apart from users changing passwords . with respect to the samba 3 LDAP
> schema,
How am I supposed to know? Its your setup. I tend to create an
administrative DN in ldap, say cn=smbadmin,ou=admins,dc=whatever... and
give it full access to samba attributes and the pseudo attributes
(children,entry). Then I have one rootbinddn for /etc/ldap.conf with
full write access to @posixAccount attributes. All other nss_ldap
operations (for getent, id, etc) are done anonymously.

> i have only these OU's which come with smbldap tools
> 1) Domain Admins, Domain Groups, People, Groups, Computers, IDMAP,
Does this make sense to you? Why do you need so many containers? I use
ou=users, ou=groups, ou=idmap. If a group is usable for samba is
determined by its attributes. A samba group has to be a unixGroup or
groupOfNames anyway and since you have to setup nss_ldap to search with
?sub they will all count as unix groups as well.

> 
> 2) I have a PDC and some other system as File server, ie i want folders in
> another system as default home drive , which i want to write in Logon
> script, so user to redirect to his home drive in another system, should i
> install samba in that system also or should i do NFS mount ,
Don't use NFS, it has incomplete locking semantics, join the fileserver
to your domain.

> and i have about 500 groups and i want folders  in the files systems to be
> mapped in the file server to be mapped as drives, which probably i will
> write a Logon script, but the confusion is how do i go about it,
There is no magic here, if you have samba on your fileserver joined to
your domain, you can access all its shared folders through \\foo\bar
syntax. You need nss_ldap on the member server as well to unify your
uid/gid namespace.

> 3) if i use NFS , i want nfs mount to be with ACL support so that i can use
> setfacl , and getfacl's in file server
Don't use NFS.
> 
> 4) i want to create 2 BDC's which , is it possible to synchronize PDC-> BDC
> and BDC->PDC, ie if i make any changes in BDC's will it get reflected in PDC
> also
For this to work, you need a ldap "master" server at the PDC and setup
replication to two "slave" ldap servers at both BDC's. Write operations
to the BDC will directed to the master and replicated back to the slaves.

> 
> kindly guide me
Nope, sorry. You need to read up on general concepts about windows
networks, how LDAP works, etc.. I suggest your start with the official
samba documentation "Samba by Example" by John Terpstra witch is
available printed as well as online.
cheers
 Paul

> 
> Regards
> Niranjan

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

[Samba] Re: SAMBA3 + LDAP

[paul kölle]

mallapadi niranjan wrote:
> Hi
> 
> Thanks for Replying me . In the ACL below
> #
> #access to dn.base="dc=msdpl,dc=com"
> 
>>access to attrs=sambaLMPassword,sambaNTP
>>
>>assword
>>
>>>by dn="uid=.*,ou=People,dc=msdpl,dc=com" write
>>>by dn="uid=.*,ou=Domain Admins,dc=msdpl,dc=com" read
>>>by * none
>>>access to attr=userPassword
>>>by dn="uid=.*,ou=People,dc=msdpl,dc=com" write
>>>by self write
>>>by anonymous auth
>>>by * none
>>>access to *
>>>by * read
> 
> 
> 
> ###
> in by dn="uid=.*,ou=Domain Admins,dc=msdpl,dc=com" read if i keep read/write
> it's not affecting
> 
> so i have changed my acl's
> #
> access to dn.base="dc=msdpl,dc=com"
>  attrs=sambaLMPassword,sambaNTPassword,sambaPwdLastSet,sambaPwdMustChange,
>  
> objectClass,entry,homeDirectory,uid,uidNumber,gidNumber,memberUid,description,
>  telephoneNumber,roomNumber,homePhone,loginShell,gecos,cn,sn,givenname
>  by dn="uid=.*,ou=People,dc=msdpl,dc=com" write
>  by dn="uid=.*,ou=Groups,dc=msdpl,dc=com" write
>  by dn="uid=.*,ou=Domain Admins,dc=msdpl,dc=com" write
>  by self write
>  by anonymous auth
>  by * none
that is write access to samba password hashes to everyone in the
ou=People container again. They are basically cleartext equivalent. ACLs
are evaluated "in order", first match rules. So to protect passwords you
could write something like (OTOH):

access to attrs=sambaLMPassword,sambaNTPassword,userPassword
 by self write
 by dn.regex="uid=[^,]+,ou=Domain Admins,dc=msdpl,dc=com" write
 by anonymous auth
 by * none

access to *
 by self write
 by dn.regex="uid=[^,]+,ou=Domain Admins,dc=msdpl,dc=com" write
 by * read

Note that this is NOT suitable for your environment and only serves as
an example as you probably want to prevent users from messing with
attributes enforcing a particular policy (like pwdMustChange). As Craig
noted, the uid=.*,ou=Domain Admins,... part doesn't make sense. If you
want group based access control you need the  syntax. Read the
manpage for access control (man slapd.access).

cheers
 Paul

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

[Samba] Re: SAMBA3 + LDAP

[paul kölle]

mallapadi niranjan wrote:

> Dec 20 10:52:43 testsystem slapd[3549]: conn=6 op=6 SEARCH RESULT tag=101
> err=0 nentries=0 text=
> #
There is no administrator account..., you can map administrator to root
or create the administrator account in LDAP.

> 
> i have created a testuser using smbldap-useradd -a -m -A 1 -P testuser, and
> gave password.
> i could able to login with the user in the windows client, and able to
> change password.
> but that password is not getting updated shadow password.
> 
> my query is the ldap password and shadow password should be same. ie if i
> change a user password, will it get updated even in shadow password.
> so that if i login with the "testuser" in linux, i should able to login with
> the same password.
try in smb.conf:

ldap passwd sync = yes

> 
> Regards
> Niranjan

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

[Samba] Re: SAMBA3 + LDAP

[paul kölle]

mallapadi niranjan wrote:

[snip]
> #access to dn.base="dc=msdpl,dc=com"
> access to attrs=sambaLMPassword,sambaNTPassword
> by dn="uid=.*,ou=People,dc=msdpl,dc=com" write
> by dn="uid=.*,ou=Domain Admins,dc=msdpl,dc=com" read
> by * none
> access to attr=userPassword
> by dn="uid=.*,ou=People,dc=msdpl,dc=com" write
> by self write
> by anonymous auth
> by * none
> access to *
> by * read
I don't understand this, you give *everyone* in the People container
write access to *all* passwords and those in ou=Domain Admins only read
access...?

confused
 Paul

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

[Samba] Re: SAMBA3 + LDAP

[paul kölle]

mallapadi niranjan wrote:
> Hi all
> 
> I have samb3 with LDAP , My query is
> 
> 1. My clients are windows 2000 professional, and the clients are not able to
> join the domain
> but if add the computer name in /etc/passwd
> ie computername$:x:110:200::/bin/false:/dev/null
> and then do smbpasswd -a -m computername , the computer is able to join the
> domain
> but i have mentioned the add machine script in smb.conf file
It seems you missed the nss_ldap part, what is in your /etc/ldap.conf
and /etc/nsswitch.conf?

> 
> 2. After Joining the domain, i am unable to login as Administrator, but able
> to login as root
> if i give command getent passwd | grep Administrator , there is no output
again, nss_ldap setup broken.

> 
> 3. How do i create groups , and add users to the groups, it is not taking
> system groups,
> when i do smbldap-populate, it adds people,group, Domain Admins, Domain
> Users, etc and root, but not system groups
> so how to add system groups ,
depends, if you have the "add user to group script" and friends set up
in smb.conf you can use usermgr.exe. You can use any ldap-tool to do it
though.

> 
> 4. in have smbldap-tool 0.9 , in that there is no mkntpasswd , is it ok, or
> this should be there, when i downloaded from the IDEALX website, it was not
> there int the TAR.gz file.
I think it has been replaced with some perl module recently.

cheers
 Paul

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

[Samba] Re: Hiding and showing folders in Samba.

[paul kölle]

Michel Bouchet wrote:

> Does anyone know how to solve it ?
"hide unreadable = yes" or other hide* parameters (man smb.conf)

cheers
 Paul

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

[Samba] Re: nsswitch not working for ldap

[paul kölle]

Tony Austin wrote:
> Is this what it should be?  Seems likely to me.
Nope, a unix account consists of posixAccount OC from nis.schema, a
samba accounts needs an ADDITIONAL sambaSamAccount OC from samba.schema.
For groups its posixGroup and sambaGroupMapping.

cheers
 Paul

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

[Samba] Re: Windows->LDAP->Samba

[paul kölle]

Mont Rothstein wrote:
> Do you agree that pGina should not be necessary?
Yes.



-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

[Samba] Re: Windows->LDAP->Samba

[paul kölle]

Mont Rothstein wrote:
> I am hoping someone can tell me if I am trying something that can't be done.
Well, if I understood you corretly I'll say yes ;)

Don't make it harder than it is, there are only three parties involved

1) Windows (the client)
2) Samba ("app server")
3) LDAP (authentication backend)

Windows never talks directly to LDAP (at least not in this scenario), it
always contacts samba, PDC or not. So the windows box asks samba "hey, I
want to write to your disk..." and samba, being a sensitive piece of
software insists: "Wait a minute, tell me who you are and prove this
somehow, then I'll ask my backend if it knows you and if your proof
holds true,...".

The stupid windows client, not knowing that he speaks to the glory UNIX
world sends its usual credentials, a string like MYWORSTATION\joe and a
"secret" hash.

Now samba looks for a UNIX user joe via the normal system calls used on
unix and in its configured backend for the hash and all the other pieces
needed in the windows world and not present on a normal unix system
account. Samba absolutely DOES NOT CARE where the unix NAMES (+uid,gid)
come from. They need to be known to the system where samba is installed,
period.

Fortunately, linux/unix has quite a few sources where names may come
from. This is abstracted through the NSS interface and implemented by
shared libraries whose names happen to be libnss_.so. If
you have a line like:

passwd: files ldap

in your /etc/nsswitch.conf, the system will ask libnss_files.so and
libnss_ldap.so for the names and numbers commonly known as "accounts".

In your case, you want to enable/disable/setup users in LDAP only. All
you have to do is:

1. Instruct your system to fetch unix NAMES from ldap (nss_ldap).
2. Instruct samba to fetch the windows bits from ldap (passdb backend).

couldn't stress this point of common misconception less, sorry.
 Paul

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

[Samba] Re: OpenLDAP and SAMBA

[paul kölle]

Miguel Lopez wrote:
> access to *
> by self write
> by dn="cn=Administrador,dc=NT,dc=DPT,dc=ES" write
> by * read
> 
> 
> access to attr=sambaLMPassword,sambaNTPassword
> by dn="cn=Administrador,dc=BECARIOS,dc=DPT,dc=ES" write
> by * none
> 
> access to attr=userpassword
> by self write
> by * read
> 
You need to fix those ACLs, they are evaluated "in order". The first
match wins. Your first rule gives read access to everyone to all
attributes, including sambaLMPassword, sambaNTPassword and userPassword.
Put the password restrictions on top of your ACL list.

cheers
 Paul

BTW: WRT the logon problem, you can narrow things down by viewing samba
and ldap log files to see if the correct object is looked up in the
directory and if the correct attributes are returned. "loglevel 128"
will give you logs of ACL evaluation for ldap (yes, they are confusing
at first).


-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

[Samba] Re: Administering Groups

[paul kölle]

Simon Faulkner wrote:
> net groupmap list ntgroup="Domain Admins"
> Domain Admins (S-1-5-21-1065375514-2370838480-4047619883-512) -> -1
> 
> 
> 
> Does this mean I have no group for Domain Admins?
yes

> 
> Do I need to map them to root?
depends, AFAIK the "root" group is not special wrt samba, but it usually
owns a lot of security related files so I'd stay away from it. Make a
new group, say "domadms", map it to "Domain Admins" and use it on the
unix side. You can exploit the privilege (man smb.conf 
/privileges) feature to give members special rights on the
windows side.

hth
 Paul


-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

[Samba] Re: Administering Groups

[paul kölle]

Simon Faulkner wrote:
> I have my Samba PDC running :-)
> 
> How do I administer groups from the samba box?
> 
> usrmgr.exe runs on the workstation but won't let me see groups
have you setup groupmapping?

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

[Samba] Re: Samba PDC + OpenLDAP replica

[paul kölle]

Jukka Hienola wrote:
> Nov  4 17:37:39 slave smbd[18093]:   fetch_ldap_pw: neither ldap secret
> retrieved!
> Nov  4 17:37:39 slave smbd[18093]: [2005/11/04 17:37:39, 0]
> lib/smbldap.c:smbldap_connect_system(813)
> Nov  4 17:37:39 slave smbd[18093]:   ldap_connect_system: Failed to
> retrieve password from secrets.tdb
> 
> so I assume that Samba can now bind to LDAP directory, but fails when
> trying to get user's data. I don't know
> why Samba is trying to retrieve data from secrets.tdb, because in
> smb.conf I have set
> passdb backend = ldapsam:"ldap://slave.ldap.server
> ldap://master.ldap.server";
For ldap binds, samba needs the password for the DN you have in your
"ldap admin dn" directive. The password should have been set with
"smbpasswd -w".

hth
 Paul

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

[Samba] Re: Problems with LDAP authentication backend.

[paul kölle]

[EMAIL PROTECTED] wrote:
Either I do not understand how Samba impliments LDAP or there is something
> wrong with my setup.  My LDAP implimentation is as follows.  The main LDAP
> suffix is dc=motogroup,dc=com and there are OU's of people and group under
> there.
> 
> Now, Samba is able to connect to the LDAP server, but it is not looking in
> the right place for the user accounts.  If I attempt to run pdbedit -L I
> get the following:
> Searching for:[(&(objectClass=sambaDomain)(sambaDomainName=SYSLOGSERVER))]
> smbldap_open_connection: connection opened
> ldap_connect_system: succesful connection to the LDAP server
> Searching for:[(&(objectClass=sambaDomain)(sambaDomainName=SYSLOGSERVER))]
> smbldap_open_connection: connection opened
> ldap_connect_system: succesful connection to the LDAP server
> ldapsam_setsampwent: 0 entries in the base!
> 
> What I see there is Samba is in SamaDomainName=SYSLOGSERVER for the user
> accounts.  Since the accounts are not stored under that OU it isn't finding
> anything.  I attempted to copy the OU=people and the OU=group to
> SamaDomainName=SYSLOGSERVER but it still fails.
It's not looking for users here but for the entry with domain specific
information (domsid, ...). AFAIK you need to give samba write access to
"ldap suffix" (temporarily?) to create this entry.

> 
> Anyone have any ideas why Samba is not finding the accounts?
Maybe you missed to setup nss_ldap on your server to fetch the unix part
from ldap?

hth
 Paul

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

[Samba] Re: Problems setting up Samba+LDAP PDC in Debian Sarge

[paul kölle]

Chema wrote:
> I see on log.nmbd:
> 
> [2005/10/25 10:42:15, 0] nmbd/nmbd_logonnames.c:add_logon_names(163)
>  add_domain_logon_names:
>  Attempting to become logon server for workgroup CORENA on subnet
> UNICAST_SUBNET
> [2005/10/25 10:42:15, 0]
> nmbd/nmbd_become_dmb.c:become_domain_master_browser_wins(327)
>  become_domain_master_browser_wins:
>  Attempting to become domain master browser on workgroup CORENA,
> subnet UNICAST_SUBNET.
> [2005/10/25 10:42:15, 0]
> nmbd/nmbd_become_dmb.c:become_domain_master_browser_wins(341)
>  become_domain_master_browser_wins: querying WINS server from IP
> 10.9.60.94  for domain master browser name CORENA<1b>
> on workgroup
> CORENA
> [2005/10/25 10:42:15, 0]
> nmbd/nmbd_logonnames.c:become_logon_server_success(124)
>  become_logon_server_success: Samba is now a logon server for
> workgroup CORENA on subnet UNICAST_SUBNET
> [2005/10/25 10:42:15, 0]
> nmbd/nmbd_become_dmb.c:become_domain_master_stage2(113)
> Is this "domain master browser name CORENA<1b>" normal?
What make you think those messages have anything to do with the problem
at hand?

> 3. passwd
[snipp]
This is all about pam_ldap/nss_ldap, nothing samba specific.

> 
> With my normal user, if I try to change the password:
> 
> [EMAIL PROTECTED]:~$ ldappasswd
> SASL/DIGEST-MD5 authentication started
> Please enter your password:
> ldap_sasl_interactive_bind_s: Internal (implementation specific) error
> (80)
>additional info: SASL(-13): user not found: no secret in
> database
> 
> This produces the following sldap output:
> 
> Oct 25 11:45:03 dellj81 slapd[2925]: SASL [conn=55] Error: unable to
> open Berkeley db /etc/sasldb2: No such file or directory
> Oct 25 11:45:03 dellj81 last message repeated 2 times
> Oct 25 11:45:03 dellj81 slapd[2925]: SASL [conn=55] Failure: no secret
> in database
> Oct 25 11:45:03 dellj81 slapd[2925]: conn=55 op=2 RESULT tag=97 err=80
> text=SASL(-13): user not found: no secret in database
> 
> I have yet to enable TLS, so slapd shoulnd't be using SASL, right?
Eh?, you can use ldappasswd -x ... to use simple binds to ldap or setup
/etc/sasl2/slapd.conf to use slapd's internal auxprop plugin and add a
sasl-regexp directive (man slapd.conf) to map SASL id's to DNs.

my /etc/sasl2/slapd.conf (mech_list probably doesn't fit your needs):

#begin
mech_list: GSSAPI DIGEST-MD5 CRAM-MD5 NTLM EXTERNAL
pwcheck_method: auxprop
auxprop_plugin: slapd
#end

cheers
 Paul

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

[Samba] Re: test platform - samba + ldap issue smbldap-useradd hangs

[paul kölle]

adrian sender wrote:
> I am running redhat 9 on a test server, just for more experience really;
> I am using redhat 9 because of a scsi raid driver needed, please do not
> ask about this.
You are not using by any chance an adaptec rebranded marvell chip?

> smbldap-userdel username also hangs.
We need to know where it hangs, use strace smbldap-userdel to see what's
happening.

hth
 Paul

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

[Samba] Re: Redhat 9 Samba + LDAP PDC ./smbldap-populate issue

[paul kölle]

adrian sender wrote:
> ERROR1:
> 
> [EMAIL PROTECTED] sbin]# service ldap restart
> Stopping slapd:[FAILED]
> Starting slapd: Unrecognized database type (bdb)
So that speaks for itself does it? Your slapd is lacking bdb support,
you'll have to bite the bullet and use ldbm.

> 
> ERROR2:
> 
> [EMAIL PROTECTED] sbin]# ./smbldap-populate -a root -k 0 -m 0
> Can't locate Convert/ASN1.pm in @INC (@INC contains: /opt/IDEALX/sbin/
Install the ASN1 perl module.

> 
> Adrian Sender
> 
> 

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

[Samba] Re: Samba for Embedded System, Network-Storage and Print-Server

[paul kölle]

Ranjeet Kumar - R&D wrote:
> Hi,
> 
> I am new to the mailing list, if any thing is wrong please excuse me in
> advance. 
> 
> We are running Linux-2.4.20 on the MIPS32 architecture. We have USB2.0 host
> and various network interfaces on the board and we want to support "USB
> Network-Storage" and "USB Print-Server". Until now I am able the make
> "USB-Storage" and "USB-Printer" working locally. 
search google for "samba ipkg" there are builds of samba 2.x for WRT54GS
like devices which seems identical to what you're using. There is a
samba 3.x build for the NSLU2 but IMO it has more RAM/FLASH...

hth
 Paul

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

[Samba] Re: Samba/OpenLDAP reliability issue: backend experience needed

[paul kölle]

Gerd-Christian Michalke wrote:
[snipp]
> Sometimes, the OpenLDAP gets corrupted, no ideas why. It's a bad thing.
Randomly?


> What would you suggest in order to be reliable ? Reliability is more 
> important 
> than speed for us.
Do you have a DB_CONFIG file with proper settings for your bdb
environment? I suggest reading the relevant articles on the openldap
faq-o-matic wrt bdb and the sleepycat documentation on DB_CONFIG parameters.

> 
> I used to work with a bdb backend, had problems; the SuSE consultant told us 
> to use ldbm, but it isn't any better.
Get another consultant.

cheers
 Paul

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

[Samba] Re: LDAP PDC question

[paul kölle]

Derek Harkness wrote:
> I don't want my unix users seeing all  the windows workstations.
Unfortunately, there seems no way to prevent this. Samba makes no
difference looking up users and computers. They are both looked up in
the "passwd" NSS table. One could argue, a computer account should
belong to the "hosts" table, looked up with gethostbyname and tied to
the Host object from nis.schema. But given the fact hosts being handled
by DNS and /etc/hosts, this would probably open several cans of worms.
The other approach would be to detect computer accounts looking for $ at
the end of the name (if this is a valid assumption) and give them their
own codepath.

greetings
 Paul

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

[Samba] Re: Need help with IDMAP storage in LDAP using Winbind

[paul kölle]

Kristof Bruyninckx wrote:
[snipp]

> But I have one more question, I configured a LDAP client, and on this
> machine I can see all the normal NIS users, but I don't see any windows
> users. This might sound stupid but this was what how I expected it to
> work. Sometimes it takes a while for the brain to catch a clue :).
;), if I recall your setup correctly you don't have the windows "users"
in LDAP. They are comming from AD and nss_winbind makes them available
for the OS. Idmap provides a means to share SID -> UID mappings across
multiple servers. Something like:

> 
> Now my question would be, how to setup the client, to use the mapping
> stored into the LDAP server. 
This largely depends on the definition of "use".

> If this is possible, since at the moment
> I'm a bit confused. Do I have to perform this setup on every server to
> Unify SID to UID/GID mapping. Or how can I use the LDAP server I just
> setup for this purpose,
For your samba servers you just point every member server to your
ou=Idmap, ... branch. You *can* add another LDAP server as slave to add
redundancy but that's another story.

grz
 Paul

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

[Samba] Re: ldapsam:trusted = yes kills smbd

[paul kölle]

Jeremy Allison wrote:

> Ah, no - smbd is still calling the system getpwnam and others
> so I think you're still going to need ldap in nsswitch.conf.
I'd say the manpage (smb.conf) is a bit misleading then:

[...] If these assumptions are met,ldapsam:trusted=yes can be activated
and  Samba can completely bypass the NSS system to query user
information. Optimized LDAP queries can speed up domain logon and
administration tasks a lot.[...]

grz
 Paul

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

[Samba] Re: Need help with IDMAP storage in LDAP using Winbind

[paul kölle]

Kristof Bruyninckx wrote:
> But still there are some new problems that popped up. wbinfo -u ,wbinfo
> -g and wbinfo -t still work.
> Also getent passwd works, and shows me all the windows accounts, but it
> is very slow, when starting this command the LDAP starts pumping a lot
> of messages into /var/log/message, this in it self is not a real problem
> since the debugging is turned to maximum.
logging slows things down, additionally you might consider adding
indexes for the relevant attributes to slapd.conf, shut down the ldap
server run slapindex and start again.

> But even do getent passwd is working, I cannot perform id
> 
Hmm, I'd expect id should work for root as soon as getent works for
root. Stop nscd if running. I'm sure you alread red this:
http://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/winbind.html

 nor login as that user.
You have set up pam_winbind have you?

> ldapsearch -x -b 'dc=thales,dc=be' '(objectclass=*)' also doesn't show me any 
> entry, and
> if I'm not mistaken it should display everything.
No, this is an anonymous search and your ACLs do not grant anonymous
read access. I don't know if that is a problem for nss_winbind though,
try changing your last ACL to:

access to *
by  dn.base="uid=samba,ou=Idmap,dc=thales,dc=be" write
by self write
by users read
by * read

If that helps you will have to investigate which component uses
anonymous binds and if that can be changed.

cheers
 Paul

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

Re: [Samba] Re: Need help with IDMAP storage in LDAP using Winbind

[Paul Kölle]

Kristof Bruyninckx wrote:

snipp
> Sep 29 10:59:52 linux14 slapd: ==> ldbm_back_bind: dn:
> cn=Manager,dc=thales,dc=be
> Sep 29 10:59:52 linux14 slapd: send_ldap_result: err=49 matched="" text=""
> Sep 29 10:59:52 linux14 slapd: daemon: select: listen=7 active_threads=0
> tvp=NULL
> Sep 29 10:59:52 linux14 slapd: daemon: activity on 1 descriptors
> Sep 29 10:59:52 linux14 slapd: daemon: activity on: 8r
> Sep 29 10:59:52 linux14 slapd: daemon: read activity on 8
> Sep 29 10:59:52 linux14 slapd: connection_get(8)
> snip"
>
> which to my opinion is odd since it is no longer used in samba. And it
> fails to authenticate. I tried a reset off the password, and changed the
> entries in ldap.conf and slapd.conf. Once done, I tried to modify an
> existing entry with ldapmodify which was successfully. Is samba here
> still trying to access the LDAP with this account?
Probably not, but I'm pretty sure you have nss-ldap installed with a
configured /etc/ldap.conf or wherever this file is on your distro.


> Sep 29 10:59:52 linux14 slapd: <= check a_dn_pat: anonymous
> Sep 29 10:59:52 linux14 slapd: <= acl_mask: [3] applying auth(=x) (stop)
> Sep 29 10:59:52 linux14 slapd: <= acl_mask: [3] mask: auth(=x)
> Sep 29 10:59:52 linux14 slapd: => access_allowed: auth access granted by
> auth(=x)
> Sep 29 10:59:52 linux14 slapd: daemon: select: listen=7 active_threads=0
> tvp=NULL
> Sep 29 10:59:52 linux14 slapd: send_ldap_result: err=0 matched="" text=""
> Sep 29 10:59:52 linux14 slapd: daemon: activity on 1 descriptors
> Sep 29 10:59:52 linux14 slapd: daemon: activity on:
> snip"
> 
> What ever is happening here, it seems that the samba users is not
> getting write permissions.
Before the password is checked the bind is "anonymous" and it requests
auth access to userPassword which is granted. That's how things are
supposed to work. err=0 above indicates no error.

> Sep 29 10:59:52 linux14 slapd: <= acl_mask: [1] applying write(=wrscx)
> (stop)
> Sep 29 10:59:52 linux14 slapd: <= acl_mask: [1] mask: write(=wrscx)
> Sep 29 10:59:52 linux14 slapd: => access_allowed: read access granted by
> write(=wrscx)
> Sep 29 10:59:52 linux14 slapd: send_ldap_result: err=0 matched="" text=""
> snip"
> 
> But here LDAP does grant the samba user the proper permissions.
Sure, the request was for "entry" and "objectClass" etc., so the
condition in the "access to attrs=userPassword" doesn't match here.

> Sep 29 10:59:52 linux14 slapd: modifications:
> Sep 29 10:59:52 linux14 slapd:  add: objectClass
> Sep 29 10:59:52 linux14 slapd:  one value, length 15
> Sep 29 10:59:53 linux14 slapd:  add: uidNumber
> Sep 29 10:59:53 linux14 slapd:  one value, length 5
> Sep 29 10:59:53 linux14 slapd:  add: gidNumber
> Sep 29 10:59:53 linux14 slapd:  one value, length 5
> *Sep 29 10:59:53 linux14 slapd: send_ldap_result: err=21 matched=""
> text="objectClass: value #0 invalid per syntax"*
Google would have told you this error stems from unrecognized
objectClass definitions. You probably miss an "include" statement in
slapd.conf. You need at least core.schema, cosine.schema, nis.schema,
samba.schema (in that order).

cheers
 Paul


-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

Re: [Samba] Re: Need help with IDMAP storage in LDAP using Winbind

[Paul Kölle]

Kristof Bruyninckx wrote:
> Entry in the /etc/samba/smb.conf
> snip "
> ldap ssl = no
> ldap admin dn = uid=samba,ou=Idmap,dc=thales,dc=be
> ldap idmap suffix = ou=idmap
> ldap suffix = dc=thales,dc=be
> idmap backend = ldap:ldap://127.0.0.1
> snip"
> 
> Also fixed the ACL (I think...) :
> 
> Changed the ACL part in the /etc/openldap/slapd.conf to the following
> 
> access to attr=userPassword
> by self write
> by anonymous auth
> by dn.base="uid=samba,ou=Idmap,dc=thales,dc=be" write
> by * none
> access to *
> by self write
> by users read
> by dn.base="uid=samba,ou=Idmap,dc=thales,dc=be" write
ACLs are evaluated "in order", the first match wins (see man slapd.access).

here is an (simple) example:

# give everyone read access to the RootDSE and subschema
access to dn.base="" by * read
access to dn.base="cn=subschema" by * read

#protect passwords
access to attrs=userPassword
by  dn.base="uid=samba,ou=Idmap,dc=thales,dc=be" write
by self write
by anonymous auth
by * none

# very permissive but this is no problem as long as there are
# not other sensible entries in the directory like user objects.
access to *
by  dn.base="uid=samba,ou=Idmap,dc=thales,dc=be" write
by self write
by users read
by * none

hth
 Paul
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

[Samba] Re: Authentication confusion - may be LDAP related

[paul kölle]

Ric Tibbetts wrote:
> This is from the error log:
> 
>  attempting to make a user_info for u212442 (212442)
>  making strings for u212442's user_info struct
>  making blobs for u212442's user_info struct
>  made an encrypted user_info for u212442 (212442)
>  check_ntlm_password:  mapped user is: [EMAIL PROTECTED]
>  getsampwnam (smbpasswd): search by name: u212442
>  check_sam_security: Couldn't find user 'u212442' in passdb.
>  check_ntlm_password:  Authentication for user [212442] -> [u212442]
> FAILED with error NT_STATUS_NO_SUCH_USER
If you can increase the log level for the LDAP server you can see what
filter is used above and find out why the object is not found.
Have you added the sambaSamAccount objectClass and attributes to the
user? You can use smbldap-tools for that.

> 
> Yet, from that same AIX box if I check my id:
> 
> #> id u212442
> uid=1040(u212442) gid=1001(sysadmin)
> 
> So the OS knows the id exists, it's just not passing that info to Samba.
Sorry, I don't know AIX, but if all users and groups samba needs to know
about are in LDAP, you can probably set "ldapsam:trusted = yes" in
smb.conf bypassing the whole NSS story. Read the manpage of smb.conf
what this parameter does.

hth
 Paul

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

[Samba] Re: Authentication confusion - may be LDAP related

[paul kölle]

Ric Tibbetts wrote:
> dn: username=u123456,ou=aixuser,cn=aixsecdb,cn=aixdata
> uid: 1040
> username: u123456
> 
> 
> with u123456 being my *nix login.
> 
> To me, this looks very wrong (not to mention that there's no dc=).
It looks wrong and the author surely has had no clue what cn means etc.
nevertheless it should work.


> If I'm seeing this right, shouldn't the login be the "uid" not
> "username"? Is that what Samba is looking for?
You can set "ldap filter = (username=%u)" in smb.conf along with a
suitable value for "ldap suffix".

Check the users with "getent passwd" to test if they are visible to the
system.

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

[Samba] Re: Need help with IDMAP storage in LDAP using Winbind

[paul kölle]

Kristof Bruyninckx wrote:
> Hi, I removed the entry for "cn=manager,dc=thales,dc=be" and checked
> with ldapmodigy if I could change the existing NIS users, which seems to
> still work.
> 
> Now I added a user called Admin , output from slapcat :
no, you have not. You authenticate with a DN and a password so a "user"
object in LDAP is identified with a DistinguishedName, not something
with a cn=whatever attribute.
> Any ideas off what I'm doing wrong?

Your accounts are still messed up. You create an entry with DN
uid=root,ou=Idmap,dc=thales,dc=be but your "admin dn" is
"cn=Admin,dc=thales,dc=be" how is that supposed to work?

given the admin should not be used for other stuff (think of least
privileges model;) it could look like:

dn: uid=samba,ou=services,dc=thales,dc=be
objectClass: top
objectClass: simpleSecurityObject
objectClass: account
uid: samba
userPassword: {CLEARTEXT}whatever
description: DN for samba

then you would do:
1. change the ou to your needs
2. change the password
3. fix your ACLs
3. put exactly that DN in your smb.conf
4. run: smbpasswd -w  -> type in password from
step 2.

Of course you can use whatever DN you like, it needs just a userPassword
attribute.

hth
 Paul

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

[Samba] Re: Need help with IDMAP storage in LDAP using Winbind

[paul kölle]

Kristof Bruyninckx wrote:
> # Use the OpenLDAP password change
> # extended operation to update the password.
> pam_password md5
If you want it to do what the comment suggest this should read:
pam_password exop


> dn: cn=Manager,dc=thales,dc=be
> objectClass: organizationalRole
> cn: Manager
> description: Directory Manager
I think that may be your problem. The DN is the same as your rootdn in
slapd.conf but does not have a userPassword attribute. It might "shadow"
your rootdn making binds with that DN fail (see below). You don't have
to add the "rootdn" from slapd.conf to your directory but it is
generally discouraged to use it in daily operations as ACLs do not apply
to "rootdn".


> Sep 27 13:31:47 linux14 slapd: => access_allowed: auth access to
> "cn=Manager,dc=thales,dc=be" "userPassword" requested
> Sep 27 13:31:47 linux14 slapd: => access_allowed: backend default auth
> access granted to "(anonymous)"
> Sep 27 13:31:47 linux14 slapd: send_ldap_result: err=49 matched=""
err=49 means "invalid credentials" most likely due to the missing
"userPassword" attribute of cn=manager,dc=thales,dc=be.


Try removing cn=Manager,dc=thales,dc=be from your ldif and see if you
can bind with rootdn and rootpw from your slapd.conf. If that works
create another entry in your DIT with a userPassword attribute, give it
appropriate permissions in slapd.conf and use that for your "ldap admin
dn" in smb.conf

hth
 Paul

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

Re: RES: RES: [Samba] Re: ACLs with Problem

[Paul Kölle]

Luis Henrique de Faria Guimarães wrote:
> [2005/09/26 17:11:53, 3] 
> smbd/posix_acls.c:convert_canon_ace_to_posix_perms(2581)
>   convert_canon_ace_to_posix_perms: Too many ACE entries for file teste.txt 
> to convert to posix perms.
I wonder why convert_canon_ace_to_posix_perms is called with an
file_ace_list with more than three canon_ace elements. set_nt_acl should
never call convert_canon_ace_to_posix_perms that way. I guess it fails
because you have an ACL_USER_OBJ which makes the file_ace_list longer
than three entries but for some reason set_nt_acl thinks it cannot use
set_canon_ace_list.

I just start to read the code so maybe someone who really knows what's
going on could clear this up a bit.

hth
 Paul

BTW: check your samba binary for ACL support, could be that ./configure
failed to pick up some libs or headers and the whole feature is not
present. Use "strings $(which smbd) | grep HAVE_POSIX_ACLS". If you
don't get anything back your binary lacks ACL support.

PS: Try not to start a new thread with each response and please keep
your replies on the list.

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

[Samba] Re: IAbwesenheit : samba Digest, Vol 33, Issue 35

[paul kölle]

public class [EMAIL PROTECTED] implements IAbwesenheit {
  public [EMAIL PROTECTED](){
return;
  }
}

scnr
 Paul

Disclaimer: I don't know java

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

Re: RES: [Samba] Re: ACLs with Problem

[Paul Kölle]

Luis Henrique de Faria Guimarães wrote:
> I believe that you it did not understand my explanation.  I have a Linux 
> server executing samba intergrated 
> with a server windows 2003 (PDC).  Linux is using the users of windows 2003 
> saw winbind.  But, the permissions 
> for these of archive do not function.  When I try to change the permissions 
> of an archive in the sharing of the
> samba, it I do not function.  The part of ACL of the samba is not 
> functioning, you understood me.
What you are saying is, it does not work as you think it should. The
getfacl output you showed seems to indicate that ACLs are working on the
linux side, so far so good. Then you say permissions are not correct
from windows explorer and you cannot set them correctly. To identify the
underlying problem you need to provide more details.

1. Which user is logged on the the windows workstation trying to modify
a file on the samba share?

2. What are the ACLs on that file before you try to change them and what
are they after the operation failed?

3. What is the output of the samba log when you try to change ACLs on
the file?

hth
 Paul


-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

[Samba] Re: Role of TLS in LDAP for Samba 3.x

[paul kölle]

Arup Biswas wrote:
> I am wondering if there is any documentation that describes the role TLS
> plays in LDAP security in Samba 3.x. I would like to understand what is the
> relationship of TLS with other LDAP security mechanisms like Kerberos via
> SASL and if TLS provides any added security. Is it like TLS provides an
> encrypted channel for all LDAP communications (privacy) whereas Kerberos
> just provides the authentication?
> 
> I would appreciate any pointer,
As far as the samba <-> LDAP communication is concerned, you can use
start_tls = yes in smb.conf to encrypt the traffic. AFAIK you cannot use
SASL mechs like GSSAPI for this (samba does only simple binds).

hth
 Paul

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

Re: RES: [Samba] Re: ACLs with Problem

[Paul Kölle]

Luis Henrique de Faria Guimarães wrote:
> I believe that you it did not understand my explanation.  I have a Linux 
> server executing samba intergrated 
> with a server windows 2003 (PDC).  Linux is using the users of windows 2003 
> saw winbind.  But, the permissions 
> for these of archive do not function.  When I try to change the permissions 
> of an archive in the sharing of the
> samba, it I do not function.  The part of ACL of the samba is not 
> functioning, you understood me.
What you are saying is, it does not work as you think it should. The
getfacl output you showed seems to indicate that ACLs are working on the
linux side, so far so good. Then you say permissions are not correct
from windows explorer and you cannot set them correctly. To identify the
underlying problem you need to provide more details.

1. Which user is logged on the the windows workstation trying to modify
a file on the samba share?

2. What are the ACLs on that file before you try to change them and what
are they after the operation failed?

3. What is the output of the samba log when you try to change ACLs on
the file?

hth
 Paul



-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

[Samba] Re: ACLs with Problem

[paul kölle]

Luis Henrique de Faria Guimarães wrote:
> With this configuration the users of the PDC (windows 2003) are 
> authenticantion way telnet 
> without problem.  However, the ACL do not function.  They see the exit with 
> command getfacl teste.txt:
> 
> [EMAIL PROTECTED] teste]# getfacl teste.txt
> # file: teste.txt
> # owner: root
> # group: Domain Users
> user::rwx
> user:henrique:rw-
> group::r--
> mask::rw-
> other::r--
Can you please describe what you expected to see here and why?

> 
> The user henrique appears in linux, but he does not appear in windows.
Then I'd say he's a linux user and not from AD via winbind right?

> When I try to add permissions through windows appears a message of "denied 
> access".
If that is a "correct" result largely depends which user is logged in to
the windows workstation. It would be helpful if you set samba to a
moderate debug level, and provide the relevant logs generated when the
desired operation(s) fail.


hth
 Paul

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

[Samba] Re: Samba with Mysql, compilation problem. (Additionnal information)

[paul kölle]

MARTIN Pierre wrote:
> Hey people,
> 
> i just had a compilation error! I'm pretty happy because it means that i
> am doing something wrong. It seems that the compiler doesn't find
> mysql.h include header file. The point is that i have all these includes
> files in this folder:
> /usr/local/mysql/include/mysql/
> 
try:
CFLAGS="$CFLAGS -I/usr/local/mysql/include/" LDFLAGS="$LDFLAGS
-L/usr/local/mysql/lib" ./configure --foo --bar

not sure if you have to add the last /mysql/ part also, just try it ;)

hth
 Paul

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

[Samba] Re: Authentication for user FAILED with error NT_STATUS_NO_SUCH_USER

[paul kölle]

Sérgio A P Ferreira wrote:
> Hi list,

> Sep 21 14:59:15 zeus slapd[2123]: conn=18 op=2 SRCH
> base="dc=cultura,dc=gov,dc=br" scope=2 deref=0
> filter="(&(uid=testuser)(objectClass=sambaSamAccount))"
> Sep 21 14:59:15 zeus slapd[2123]: conn=18 op=2 SRCH attr=uid uidNumber
> gidNumber homeDirectory sambaPwdLastSet sambaPwdCanChange sambaPwdMustChange
> sambaLogonTime sambaLogoffTime sambaKickoffTime cn displayName
> sambaHomeDrive sambaHomePath sambaLogonScript sambaProfilePath description
> sambaUserWorkstations sambaSID sambaPrimaryGroupSID sambaLMPassword
> sambaNTPassword sambaDomainName objectClass sambaAcctFlags sambaMungedDial
> sambaBadPasswordCount sambaBadPasswordTime sambaPasswordHistory
> modifyTimestamp sambaLogonHours modifyTimestamp
> Sep 21 14:59:15 zeus slapd[2123]: conn=18 op=2 SEARCH RESULT tag=101 err=0
> nentries=0 text=
See the nentries=0? This is telling you the object was not found in your
LDAP directory. Try to search from the commandline with ldapsearch like:

ldapsearch -D  -b "dc=gov,dc=br" -W (&(uid=testuser)(objectClass=sambaSamAccount)

if that doesn't work try modifying the search filter to read:

(&(uid=*)(objectClass=*)

if it works (you get the entries back), your entry most likely misses
the sambaSamAccount attributes, that is to say you missed a step in your
setup (smbpasswd?)

if it does not work it might be a problem with ACLs in your LDAP server.
 Try using your "rootdn" from slapd.conf for the -D switch in the above
search. If that works change your ACLs to allow your "ldap admin dn" to
read and write the necessary attributes.

Another thing to check is if your users are visible to the system via
NSS, a "getent passwd" should show your samba users along with the users
from /etc/passwd.

hth
 Paul

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

[Samba] Re: passdb backend = pizza

[paul kölle]

Chris wrote:

> Is it just the systems I've. examined? Am I looking for too much? Or 
> does testparm need to pay more attention?
AFAIK testparm just checks parameters, not values.


cheers
 Paul

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

[Samba] Re: ACL problem

[paul kölle]

David Mataró Ciller wrote:
> Hi all,
> 
> I have joined samba server (3.0.14a-2) to an ADS. I can copy, move and
> remove files from any windows workstation and also I can set ACLs. I
> need migrate files from 4 w2k servers to samba server and preserve
> ACL's. One server are into ADS domain, but the others server are into
> others domains. I use robocopy.exe to migrate files and folders. When I
> run robocopy the files and folders are copied but the ACLs are not
> preserved.
> 
> The error is:
> 
> [2005/09/13 10:15:06, 1] smbd/service.c:make_connection_snum(642) wxp
> (192.168.1.115) connect to service docu initially as user CECOTDM
> +administrador (uid=1, gid=1) (pid 2695)
> [2005/09/13 10:15:06, 0] smbd/posix_acls.c:create_canon_ace_lists(1388)
> create_canon_ace_lists: unable to map SID
> S-1-5-21-1844237615-920026266-725345543-500 to uid or gid.
> 
> Possibly an idea?
How do you expect samba to convert the ACL if there is no SID -> uid/gid
mapping? Apparently the users (i.e. SIDs of DACLs) on your "other
server" are unknown to samba (is it part of a trusted domain?).

hth
 Paul

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

[Samba] Re: Samba + OpenLDAP: LDAP server is running but could not respond to a search request

[paul kölle]

Steven Truong wrote:
> ldapsearch -x -b "dc=sample,dc=com" "(ObjectClass=*)"
> # extended LDIF
> #
> # LDAPv3
> # base  with scope sub
> # filter: (objectClass=*)
> # requesting: ALL
> #
> 
> # search result
> search: 2
> result: 0 Success
> 
> # numResponses: 1
> 
> Here is the log for this request from /var/log/ldaplogs
> Sep 9 04:32:51 Ns02 slapd[10449]: conn=52 fd=18 ACCEPT from IP=
> 127.0.0.1:1510  (IP=0.0.0.0:389 )
> Sep 9 04:32:51 Ns02 slapd[10449]: conn=52 op=0 BIND dn="" method=128
> Sep 9 04:32:51 Ns02 slapd[10449]: conn=52 op=0 RESULT tag=97 err=0 text=
> Sep 9 04:32:51 Ns02 slapd[10449]: conn=52 op=1 SRCH 
> base="dc=nanostellar,dc=com" scope=2 deref=0 filter="(objectClass=*)"
^^^
that's not dc=sample,dc=com
[snip]

> However, 
> net groupmap list
> [2005/09/09 04:39:30, 0] passdb/pdb_ldap.c:ldapsam_setsamgrent(2763)
> ldapsam_setsamgrent: LDAP search failed: No such object
> [2005/09/09 04:39:30, 0] passdb/pdb_ldap.c:ldapsam_enum_group_mapping(2828)
> ldapsam_enum_group_mapping: Unable to open passdb
[snip]

> filter="(&(objectClass=sambaDomain)(sambaDomainName=sample))"
> Sep 9 04:39:52 Ns02 slapd[10449]: conn=61 op=2 SRCH attr=sambaDomainName 
> sambaNextRid sambaNextUserRid sambaNextGroupRid sambaSID 
> sambaAlgorithmicRidBase objectClass
> Sep 9 04:39:52 Ns02 slapd[10449]: conn=61 op=2 SEARCH RESULT tag=101 err=0 
> nentries=1 text=
> Sep 9 04:39:52 Ns02 slapd[10449]: conn=61 op=3 SRCH 
> base="ou=Goups,dc=sample,dc=com" scope=2 deref=0 
   ^^typo?

cheers
 Paul


-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

[Samba] Re: SID problems...

[paul kölle]

Felipe wrote:
> unfortunately, this is the problem.. when I change the domain name and
> I need to do that some times... but even when I change the domain name
> and the SID is changed too, I can't replace its new SID performing net
> setlocalsid command with the SID that I was using before.
> 
> What I need is to, whatever I do, keep my SID. No matter what I have
> to do except for repopulate the ldap database.
"net getlocalsid" will return a SID assoziated with your $"netbios name"
parameter. Whenever you change your $"workgroup name" in smb.conf, samba
will generate a new sambaDomain enty in LDAP (granted you have
sufficient rights for adding the entry) whose SID will match the one
from $"netbios name". "net getlocalsid" takes $"workgroup name" as an
optional parameter so you can check if your SIDs match. If they match,
everything SHOULD work.

hth
 Paul

PS: I say SHOULD, because the above is derived from fooling around with
samba, not reading the source.

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

[Samba] Re: Help request: Windows and Linux authorisation in windows domain.

[paul kölle]

Molot wrote:
> I have problem (as you noticed ;] ). I have to make unified
> authorisation system for large, unsecure network connected to a two
> Polish skelete networks. As you see I need to do it right to avoid big
> problems.
Not sure if I understood your problem but my first thought was about
using LDAP for the job. You can use it as a backend for samba and your
linux clients will be able to auth against it (mostly) out of the box.
There is password sync with samba credentials in place and it can be
used with SSL/TLS.

hth
 Paul

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

[Samba] Re: smbldap- only user root can login to windows.

[paul kölle]

Ryan Braun wrote:
> Jun 17 15:51:49 ywgldap0 slapd[16885]: conn=102 op=0 BIND dn="" method=128
> Jun 17 15:51:49 ywgldap0 slapd[16885]: conn=102 op=0 RESULT tag=97 err=0 text=
> Jun 17 15:51:49 ywgldap0 slapd[16885]: conn=102 op=1 SRCH 
> base="ou=Users,dc=xxx,dc=xx,dc=xx,dc=xx" scope=2 deref=0 
> filter="(&(objectClass=posixAccount)(uid
> =windowsguy))"
> Jun 17 15:51:49 ywgldap0 slapd[16885]: conn=102 op=1 SRCH attr=uid 
> userPassword uidNumber gidNumber cn homeDirectory loginShell gecos 
> description objectCla
> ss
> Jun 17 15:51:49 ywgldap0 slapd[16885]: conn=102 op=1 SEARCH RESULT tag=101 
> err=0 nentries=0 text=
this is an anonymous bind from NSS and it returns no entry for
uid=windowsguy. It seems anonymous binds have no read access to the
Users container, check your ACLs.


> SAMBA
> [2005/06/17 15:51:42, 0] lib/util_sock.c:write_socket_data(430)
>   write_socket_data: write failure. Error = Connection reset by peer
> [2005/06/17 15:51:42, 0] lib/util_sock.c:write_socket(455)
>   write_socket: Error writing 4 bytes to socket 5: ERRNO = Connection reset 
> by 
> peer
> [2005/06/17 15:51:42, 0] lib/util_sock.c:send_smb(647)
>   Error writing 4 bytes to client. -1. (Connection reset by peer)
> [2005/06/17 15:51:42, 2] smbd/server.c:exit_server(609)
>   Closing connections
> [2005/06/17 15:51:49, 2] rpc_parse/parse_prs.c:netsec_decode(1594)
>   netsec_decode: FAILED: packet sequence number:
> [2005/06/17 15:51:49, 2] lib/util.c:dump_data(1995)
>   [000] 2F 5D 35 7D C5 F5 6E 88   /]5}..n.
> [2005/06/17 15:51:49, 2] rpc_parse/parse_prs.c:netsec_decode(1596)
>   should be:
> [2005/06/17 15:51:49, 2] lib/util.c:dump_data(1995)
>   [000] 00 00 00 00 80 00 00 00   
> [2005/06/17 15:51:49, 2] lib/smbldap.c:smbldap_open_connection(692)
>   smbldap_open_connection: connection opened
> [2005/06/17 15:51:49, 2] passdb/pdb_ldap.c:init_sam_from_ldap(499)
>   init_sam_from_ldap: Entry found for user: win2k$
> [2005/06/17 15:51:49, 2] passdb/pdb_ldap.c:init_sam_from_ldap(499)
>   init_sam_from_ldap: Entry found for user: windowsguy
> [2005/06/17 15:51:49, 1] auth/auth_util.c:make_server_info_sam(840)
>   User windowsguy in passdb, but getpwnam() fails!
that is what samba makes from the empty search result for
(&(objectClass=posixAccount)(uid=windowsguy))

> [2005/06/17 15:51:49, 0] auth/auth_sam.c:check_sam_security(324)
>   check_sam_security: make_server_info_sam() failed with 
> 'NT_STATUS_NO_SUCH_USER'
> [2005/06/17 15:51:49, 2] auth/auth.c:check_ntlm_password(312)
>   check_ntlm_password:  Authentication for user [windowsguy] -> [windowsguy] 
> FAILED with error NT_STATUS_NO_SUCH_USER
> [2005/06/17 15:54:26, 2] smbd/server.c:exit_server(609)
>   Closing connections
> 
> Now the working example for user root (snipped)
> Jun 17 17:15:13 ywgldap0 slapd[16885]: conn=163 fd=10 closed
> Jun 17 17:17:02 ywgldap0 slapd[16885]: conn=164 fd=10 ACCEPT from 
> IP=192.168.240.17:34126 (IP=0.0.0.0:389)
> Jun 17 17:17:02 ywgldap0 slapd[16885]: conn=164 op=0 BIND 
> dn="cn=nss,ou=Admins,dc=xxx,dc=xx,dc=xx,dc=xx" method=128
> Jun 17 17:17:02 ywgldap0 slapd[16885]: conn=164 op=0 BIND 
> dn="cn=nss,ou=Admins,dc=xxx,dc=xx,dc=xx,dc=xx" mech=SIMPLE ssf=0
> Jun 17 17:17:02 ywgldap0 slapd[16885]: conn=164 op=0 RESULT tag=97 err=0 text=
> Jun 17 17:17:02 ywgldap0 slapd[16885]: conn=164 op=1 SRCH 
> base="ou=Users,dc=xxx,dc=xx,dc=xx,dc=xx" scope=2 deref=0 
> filter="(&(objectClass=posixAccount)(uid=root))"
> Jun 17 17:17:02 ywgldap0 slapd[16885]: conn=164 op=1 ENTRY 
> dn="uid=root,ou=Users,dc=xxx,dc=xx,dc=xx,dc=xx"
> Jun 17 17:17:02 ywgldap0 slapd[16885]: conn=164 op=1 SEARCH RESULT tag=101 
> err=0 nentries=1 text=
here, NSS binds with DN and password and the search succeeds.

It seems samba is performing the NSS call as the user trying to log on
to the domain, hence if root logs in NSS uses the DN from "rootbinddn",
and in all other cases the DN from "binddn" which is anonymous by
default. Check your settings for "binddn" and "rootbinddn" in ldap.conf
(the  config for libnss_ldap.so, use strace and getent to find out where
the file is, most likely /etc/ldap.conf). If you don't want to allow
anonymous searches for your users you can use a proxy DN for "binddn"
and put the cleartext password in /etc/ldap.secret (600).

hth
 Paul

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

[Samba] Re: Migrating Fileservers to LDAP

[paul kölle]

Adam Engel wrote:

> 1) Some users have accounts on 1 or more of our fileservers, as well as
> an account with our LDAP server, same username but passwords aren't
> synched.  If I have the server join the domain, what consequences or
> problems will I have with the user accounts. Obviously the gid/uid's
> wont be the same on the servers. Will the 'Local' users be enforced
> instead of the domain user accounts when it comes to the files?
No, uid/gid stuff is simply managed by NSS and samba takes what is gets
from there. Depending on your nsswitch.conf, ldap users may come behind
local users but conceptually they are in the same namespace and you have
no unique mapping name <-> uid/gid anymore. In short: Don't do that,
instead point all your fileservers to your LDAP server, delete local
users if they exist in ldap and migrate the data to new uids/gids.

cheers
 Paul

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

[Samba] Re: File owner / group

[paul kölle]

[EMAIL PROTECTED] wrote:
> Hi all,
> I have a Samba 3.0.13 with ACL support running under SuSE and acting as a
> PDC for the hole organization.
> Among some shares, there's one that has about ten subdirectories.
> Everybody can access this share and restrictions are applied over those
> subdirs.
> 
> The problem is that, for example, when I create a file (or modify it with
> Word or Exel) in the Finances subdirectory, the file has my primary group
> as GID (Technology, in this case).
> What I need to do is to force Samba to create files with a specific GID
> for each of those subdirectories.
Does the file just needs to include this GID in it's ACLs or does it
need to be owned by that GID? The former is achieved by adding that
group to the inheritable ACLs for the directory holding the file, for
the latter I don't know if it is possible, AFAIK one cannot mandate
ownership through ACLs and I don't know if "force group" plays well with
ACL's... (just try the latter and report back if it works).

HTH
 Paul

BTW: use setfacl/getfacl from Linux or whatever your OS provides, I
haven't found documentation in what way the various settings of the
"permissions" dialog from W2k/XP translate through samba to posix ACLs.

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

[Samba] Re: Problems with testing Openldapserver telnet localhost 389

[paul kölle]

Andreas wrote:
> Hello!
> Server Starting is ok: no errormessage:
> /usr/lib/openldap/slapd restart
check with pidof, a startscript succeeding is not a good sign of success.
>
> But Testing, not:
> amd:~ # telnet localhost 389
> Trying 127.0.0.1...
> telnet: connect to address 127.0.0.1: Connection refused
> Trying ::1...
> telnet: connect to address ::1: Connection refused
check locally with "getent passwd".

>
> amd:/usr/lib/openldap # ps -agx | grep lapd
> Warning: bad ps syntax, perhaps a bogus '-'? See
> http://procps.sf.net/faq.html
>  4788 pts/2S+ 0:00 grep lapd
what is that?

>
> access  to dn="."dc=samba,dc=junits"
> by self write
> by *read
this doesn't look like a valid regex..., and it's not secure either.
Everyone can read your passwords. Read the slapd.access manpage.

hth
 Paul



-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

[Samba] Re: what to do ??

[paul kölle]

Greg Andrews wrote:
The school has the ability to obtain a microsoft solution at no cost (
except for the new hardware required, which is the reason for this email
in the first place ).
So a different solution would only make sense if it doesn't need new 
hardware...
Advice and opinions are sought on the following points
1. do I go microsoft
2. do I stick with novell ( I am aware of a "misty" who recently migrated
from netware to linux ) and perhaps move to netware 6 ( cost about $3000 )
If that's cheaper than new hardware for $MS, I'd do that.
3. do I move to samba.
AFAIK, you can use NDS through LDAP, (at least with recent versions) as 
backend for samba (extending the schema in NDS), or use another LDAP 
product...

4. do I make a hybrid and pick the eyes out of each system
Now I fully expect most people to say go linux  and whilst I am all for it
I need to be able to justify my decision . I am capable of administering a
netware system and have a rudimentry samba server system running at
another place  ( no ldap ) so am familiar with samba to some degree but
have ( up until now ) steered clear  of the inferior microsoft server
packages ( also have little experience with them ).So some traing costs in
 samba and microsoft should be included in the mix. Netware I am
conversant with.
Personally, I found (Open)LDAP hard to grasp, there are still small 
details/constraints/pitfalls I'm picking up time by time, which are 
important for the big picture one should know (unfortunately you need 
that knowledge upfront when designing your directory, it's generally 
hard to change things later). It's a great piece of software with 
endless flexibility and possibilities but that doesn't come for free... ;)

One major consideration will be that I would like to be able to run a
single  user database. ldap I think will accomplish this. I am currently
using netware's nds to do this.
Evaluate what you need to do/by to use NDS with samba, AFAIK support for 
samba and "Netware universal password" has been added recently, you may 
ask here for details.

can samba run as a susserver ?
Nope, but you can install SUS on a normal XP box by "hacking" the 
installer...

hth
 Paul
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

[Samba] Re: Any ideas - samba3+openldap2.2.15-5: problems loggin users onto domain

[paul kölle]

Marcelo M. Lopes wrote:
> Hi,
>
> I've got this cenario in my Suse 9.2 box:
>
> samba-3.0.7-5
> openldap2-2.2.15-5
> smbldap-tools-0.8.4-1
>
> So when I try to logon with a defaul user (winnt) I receive C001 
error
> code (unsuficient auth).  Here the logs for this request:
>
<-- snip -->

Marcelo,
At a first glance, there is no error in you log from slapd. All queries 
return err=0 and nentries=1 right? Maybe looking for errors in your 
samba logs might help.

hth
 Paul
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

[Samba] Re: LDAP + SASL (kerberos) password syncing

[paul kölle]

Mark Roach wrote:
I have already wrapped some of the kadmin library for use from python,
I'm not quite sure how to accomplish this piece of it, but it might be
worth the effort...
I'd be very interested in that pyhon stuff. Do you consider sharing the 
code?

thanks
 Paul
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba