Re: [Samba] AD and SAMBA
Thanx Andrew for the reply, Simply omit 'password server' from your smb.conf. By default we find the most appropriate DC to contact -- Do u have any doc or link where I can read more about how does this works ? Rgds -Original Message- From: abart...@samba.org [mailto:abart...@samba.org] Sent: Friday, May 11, 2012 8:07 AM To: Biju Babu (IT Services for Business ITSB Data, Integration and Application Services) Cc: samba@lists.samba.org Subject: Re: [Samba] AD and SAMBA On Wed, 2012-05-09 at 18:31 +0530, biju_b...@cargill.com wrote: > Hello all, > > I am trying to understand how SAMBA finds nearest Domain Controller > when configured to use Active Directory for AuthN. > > There are some great articles and wikis about how to configure SAMBA > against AD, but couldn't find much on what I was looking for. > > For example > 1. Does Samba have built in dc locator functionality like windows > clients ? > 2. What is the default authN it uses, NTLM or Kerb ? This is up to the client to choose, we support both. > 3. I understand from an article > (http://timstechnoblog.blogspot.com/search/label/Linux) that Winbind > when configured to use * for domain controller will invoke Dc locator > mechanism, but couldn't completely understand the relation b/w Samba > and Winbind - is it SAMBA always uses winbind for AD communication and > authentication ? Yes. You should always start winbindd, and it will be the sole channel for communication with Active Directory. > Root of all these questions are, SAMBA AD config I saw is configured > to use a single password server, which is a single point of failure. I > am trying to figure out how to avoid that. Simply omit 'password server' from your smb.conf. By default we find the most appropriate DC to contact, Andrew Bartlett -- Andrew Bartletthttp://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] AD and SAMBA
On Wed, 2012-05-09 at 18:31 +0530, biju_b...@cargill.com wrote: > Hello all, > > I am trying to understand how SAMBA finds nearest Domain Controller when > configured to use Active Directory for AuthN. > > There are some great articles and wikis about how to configure SAMBA > against AD, but couldn't find much on what I was looking for. > > For example > 1. Does Samba have built in dc locator functionality like windows > clients ? > 2. What is the default authN it uses, NTLM or Kerb ? This is up to the client to choose, we support both. > 3. I understand from an article > (http://timstechnoblog.blogspot.com/search/label/Linux) that Winbind > when configured to use * for domain controller will invoke Dc locator > mechanism, but couldn't completely understand the relation b/w Samba and > Winbind - is it SAMBA always uses winbind for AD communication and > authentication ? Yes. You should always start winbindd, and it will be the sole channel for communication with Active Directory. > Root of all these questions are, SAMBA AD config I saw is configured to > use a single password server, which is a single point of failure. I am > trying to figure out how to avoid that. Simply omit 'password server' from your smb.conf. By default we find the most appropriate DC to contact, Andrew Bartlett -- Andrew Bartletthttp://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] AD and SAMBA
Any suggestions on this ? Rgds -Original Message- From: Babu, Biju - biju_b...@cargill.com Sent: Wednesday, May 09, 2012 6:32 PM To: samba@lists.samba.org Subject: AD and SAMBA Hello all, I am trying to understand how SAMBA finds nearest Domain Controller when configured to use Active Directory for AuthN. There are some great articles and wikis about how to configure SAMBA against AD, but couldn't find much on what I was looking for. For example 1. Does Samba have built in dc locator functionality like windows clients ? 2. What is the default authN it uses, NTLM or Kerb ? 3. I understand from an article (http://timstechnoblog.blogspot.com/search/label/Linux) that Winbind when configured to use * for domain controller will invoke Dc locator mechanism, but couldn't completely understand the relation b/w Samba and Winbind - is it SAMBA always uses winbind for AD communication and authentication ? Root of all these questions are, SAMBA AD config I saw is configured to use a single password server, which is a single point of failure. I am trying to figure out how to avoid that. Feel free to correct me if I asked stupid questions, my knowledge with SAMBA and other components are very limited. Much appreciate your help. Rgds Biju -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] AD and SAMBA
Hello all, I am trying to understand how SAMBA finds nearest Domain Controller when configured to use Active Directory for AuthN. There are some great articles and wikis about how to configure SAMBA against AD, but couldn't find much on what I was looking for. For example 1. Does Samba have built in dc locator functionality like windows clients ? 2. What is the default authN it uses, NTLM or Kerb ? 3. I understand from an article (http://timstechnoblog.blogspot.com/search/label/Linux) that Winbind when configured to use * for domain controller will invoke Dc locator mechanism, but couldn't completely understand the relation b/w Samba and Winbind - is it SAMBA always uses winbind for AD communication and authentication ? Root of all these questions are, SAMBA AD config I saw is configured to use a single password server, which is a single point of failure. I am trying to figure out how to avoid that. Feel free to correct me if I asked stupid questions, my knowledge with SAMBA and other components are very limited. Much appreciate your help. Rgds Biju -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] AD and samba secondary group problems
On 27 April 2011 19:40, Joe Cammisa wrote: > arif, we had a similar problem under different circumstances -- in our case > samba under solaris with the secondary group info coming from sun ldap. all > worked flawlessly with respect to primary groups, but secondary group > permissions were not honored. the "fix" in our case (until such time as we > were able to fully patch the server) was a cron script that appended the > ldap secondary group information to the file /etc/group -- for some reason, > samba could only get secondary group info from this file, but not from any > other naming service on our out of date box. not sure why you'd be facing > this on such a recent vintage os, but i would try throwing some of the > secondary groups in that file to see if it makes a difference. good luck! > > Thanks for the suggestion I have tried that, and no luck at all. I upgraded samba to 3.5.8, and I am still getting same problems. In windows when I righ-click folders and look at the security, I can see that the correct permissions are set by the relevant gid from the Linux FS. When we then as a user, who's secondary group who is allowed to write/read the files. I get the following in the samba logs when I try to write a file to the samba share with the secondary group [2011/04/28 12:01:38.106858, 3] smbd/process.c:1489(process_smb) Transaction 2303 of length 108 (0 toread) [2011/04/28 12:01:38.106891, 3] smbd/process.c:1298(switch_message) switch message SMBtrans2 (pid 16083) conn 0x2b4d3a4de2c0 [2011/04/28 12:01:38.106910, 3] smbd/sec_ctx.c:310(set_sec_ctx) setting sec ctx (6305, 60003) - sec_ctx_stack_ndx = 0 [2011/04/28 12:01:38.106937, 3] smbd/trans2.c:5099(call_trans2qfilepathinfo) call_trans2qfilepathinfo: TRANSACT2_QPATHINFO: level = 1004 [2011/04/28 12:01:38.106967, 3] smbd/vfs.c:881(check_reduced_name) check_reduced_name [.] [//sambatest] [2011/04/28 12:01:38.106984, 3] smbd/vfs.c:1038(check_reduced_name) check_reduced_name: . reduced to //sambatest [2011/04/28 12:01:38.107008, 3] smbd/trans2.c:5225(call_trans2qfilepathinfo) call_trans2qfilepathinfo . (fnum = -1) level=1004 call=5 total_data=0 [2011/04/28 12:01:38.107299, 3] smbd/process.c:1489(process_smb) Transaction 2304 of length 116 (0 toread) [2011/04/28 12:01:38.107317, 3] smbd/process.c:1298(switch_message) switch message SMBntcreateX (pid 16083) conn 0x2b4d3a4de2c0 [2011/04/28 12:01:38.107416, 3] smbd/error.c:80(error_packet_set) error packet at smbd/nttrans.c(550) cmd=162 (SMBntcreateX) NT_STATUS_OBJECT_PATH_NOT_FOUND [2011/04/28 12:01:38.107650, 3] smbd/process.c:1489(process_smb) Transaction 2305 of length 144 (0 toread) [2011/04/28 12:01:38.107667, 3] smbd/process.c:1298(switch_message) switch message SMBntcreateX (pid 16083) conn 0x2b4d3a4de2c0 [2011/04/28 12:01:38.107717, 3] smbd/msdfs.c:746(dfs_redirect) dfs_redirect: Not redirecting \\sambatest\.svn\entries. [2011/04/28 12:01:38.107733, 3] smbd/msdfs.c:757(dfs_redirect) dfs_redirect: Path \\sambatest\.svn\entries converted to non-dfs path .svn/entries [2011/04/28 12:01:38.107766, 3] smbd/error.c:80(error_packet_set) error packet at smbd/nttrans.c(550) cmd=162 (SMBntcreateX) NT_STATUS_OBJECT_PATH_NOT_FOUND [2011/04/28 12:01:38.108098, 3] smbd/process.c:1489(process_smb) Transaction 2306 of length 108 (0 toread) [2011/04/28 12:01:38.108116, 3] smbd/process.c:1298(switch_message) switch message SMBtrans2 (pid 16083) conn 0x2b4d3a4de2c0 [2011/04/28 12:01:38.108128, 3] smbd/trans2.c:5099(call_trans2qfilepathinfo) call_trans2qfilepathinfo: TRANSACT2_QPATHINFO: level = 1004 [2011/04/28 12:01:38.108147, 3] smbd/vfs.c:881(check_reduced_name) check_reduced_name [.] [//sambatest] [2011/04/28 12:01:38.108162, 3] smbd/vfs.c:1038(check_reduced_name) check_reduced_name: . reduced to //sambatest [2011/04/28 12:01:38.108179, 3] smbd/trans2.c:5225(call_trans2qfilepathinfo) call_trans2qfilepathinfo . (fnum = -1) level=1004 call=5 total_data=0 [2011/04/28 12:01:38.108446, 3] smbd/process.c:1489(process_smb) Transaction 2307 of length 108 (0 toread) [2011/04/28 12:01:38.108480, 3] smbd/process.c:1298(switch_message) switch message SMBtrans2 (pid 16083) conn 0x2b4d3a4de2c0 [2011/04/28 12:01:38.108493, 3] smbd/trans2.c:5099(call_trans2qfilepathinfo) call_trans2qfilepathinfo: TRANSACT2_QPATHINFO: level = 1004 [2011/04/28 12:01:38.108516, 3] smbd/vfs.c:881(check_reduced_name) check_reduced_name [.] [//sambatest] [2011/04/28 12:01:38.108530, 3] smbd/vfs.c:1038(check_reduced_name) check_reduced_name: . reduced to //sambatest [2011/04/28 12:01:38.108547, 3] smbd/trans2.c:5225(call_trans2qfilepathinfo) call_trans2qfilepathinfo . (fnum = -1) level=1004 call=5 total_data=0 [2011/04/28 12:01:38.108747, 3] smbd/process.c:1489(process_smb) Transaction 2308 of length 108 (0 toread) [2011/04/28 12:01:38.108765, 3] smbd/process.c:1298(switch_message) switch message SMBtrans2 (pid 16083) conn 0x2b4d3a4de2c0 [2011/04/28 12:01:38.10
Re: [Samba] AD and samba secondary group problems
arif, we had a similar problem under different circumstances -- in our case samba under solaris with the secondary group info coming from sun ldap. all worked flawlessly with respect to primary groups, but secondary group permissions were not honored. the "fix" in our case (until such time as we were able to fully patch the server) was a cron script that appended the ldap secondary group information to the file /etc/group -- for some reason, samba could only get secondary group info from this file, but not from any other naming service on our out of date box. not sure why you'd be facing this on such a recent vintage os, but i would try throwing some of the secondary groups in that file to see if it makes a difference. good luck! On Wed, Apr 27, 2011 at 2:32 PM, Arif Ali wrote: > Hi list, > > I have gone through several mailing list archives, googled, tested several > options, but we cannot figure out how we fix our problem. > > NIS provides the uid and gid in Linux > AD provides the passwords > storage is provided by GPFS via samba to windows users > > OS: RedHat 5.5 x86_64 > Samba: 3.4.2 and/or 3.5.2 > > We are able to mount the home directories without any problems, we can > read/write/rename/delete. The uid, and the gid have no problems writing to > their respective areas, as per the permissions in Linux. > > The problem we have is that any permissions that users have wrt secondary > groups are not being carried forward to the windows machines, and not > recognised. we have tried to test this with a user whose primary group > allows to go to sambatest, as defined below, but if another user has the > same group but as a secondary group, this person cannot read/write/mount the > share. > > My smb.conf is below, (with replaced/ sensitive information) > > regards, > Arif > >workgroup = DOMAIN >password server = >realm = domain.co.uk >security = ads >template shell = /bin/bash >winbind use default domain = yes >winbind offline logon = false >winbind seperator = + > > #--authconfig--end-line-- >netbios name = csfs >idmap backend = tdb2 >encrypt passwords = true >username map = /etc/samba/smbusers >smb passwd file = /etc/samba/smbpasswd >clustering = yes >interfaces = /22 >dns proxy = no >log file = /var/log/samba/log.%m >socket options = TCP_NODELAY IPTOS_LOWDELAY >load printers = no >printing = bsd >printcap name = /dev/null >disable spoolss = yes >winbind enum groups = Yes >winbind refresh tickets = true >winbind nested groups = yes >winbind nss info = template rfc2307 > ;passdb backend = tdbsam >idmap uid = 100-500 >idmap gid = 100-500 >idmap config DOMAIN:default = yes >idmap config DOMAIN:range = 500-10 >idmap config DOMAIN:backend = ad >idmap config DOMAIN:schema_mode = rfc2307 >include = /etc/samba/loglevel.%m >writeable = yes >msdfs root = yes > > [homes] >comment = Staff Home Directories >path = /users/%u >valid users = %S >create mask = 0750 >vfs objects = gpfs fileid >fileid:mapping = fsname >gpfs:sharemodes = No > #nfs4: mode = special > #nfs4: chown = yes > #nfs4: acedup = merge > > [support] >read only = no >comment = Support area >path = //support >valid users = >create mode = 0664 >vfs objects = gpfs fileid >fileid:mapping = fsname >gpfs:sharemodes = No > > [sambatest] >read only = no >writeable = yes >comment = Testing Samba >path = //sambatest >create mask = 0750 >vfs objects = gpfs fileid >fileid:mapping = fsname >gpfs:sharemodes = No > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba > -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] AD and samba secondary group problems
Hi list, I have gone through several mailing list archives, googled, tested several options, but we cannot figure out how we fix our problem. NIS provides the uid and gid in Linux AD provides the passwords storage is provided by GPFS via samba to windows users OS: RedHat 5.5 x86_64 Samba: 3.4.2 and/or 3.5.2 We are able to mount the home directories without any problems, we can read/write/rename/delete. The uid, and the gid have no problems writing to their respective areas, as per the permissions in Linux. The problem we have is that any permissions that users have wrt secondary groups are not being carried forward to the windows machines, and not recognised. we have tried to test this with a user whose primary group allows to go to sambatest, as defined below, but if another user has the same group but as a secondary group, this person cannot read/write/mount the share. My smb.conf is below, (with replaced/ sensitive information) regards, Arif workgroup = DOMAIN password server = realm = domain.co.uk security = ads template shell = /bin/bash winbind use default domain = yes winbind offline logon = false winbind seperator = + #--authconfig--end-line-- netbios name = csfs idmap backend = tdb2 encrypt passwords = true username map = /etc/samba/smbusers smb passwd file = /etc/samba/smbpasswd clustering = yes interfaces = /22 dns proxy = no log file = /var/log/samba/log.%m socket options = TCP_NODELAY IPTOS_LOWDELAY load printers = no printing = bsd printcap name = /dev/null disable spoolss = yes winbind enum groups = Yes winbind refresh tickets = true winbind nested groups = yes winbind nss info = template rfc2307 ;passdb backend = tdbsam idmap uid = 100-500 idmap gid = 100-500 idmap config DOMAIN:default = yes idmap config DOMAIN:range = 500-10 idmap config DOMAIN:backend = ad idmap config DOMAIN:schema_mode = rfc2307 include = /etc/samba/loglevel.%m writeable = yes msdfs root = yes [homes] comment = Staff Home Directories path = /users/%u valid users = %S create mask = 0750 vfs objects = gpfs fileid fileid:mapping = fsname gpfs:sharemodes = No #nfs4: mode = special #nfs4: chown = yes #nfs4: acedup = merge [support] read only = no comment = Support area path = //support valid users = create mode = 0664 vfs objects = gpfs fileid fileid:mapping = fsname gpfs:sharemodes = No [sambatest] read only = no writeable = yes comment = Testing Samba path = //sambatest create mask = 0750 vfs objects = gpfs fileid fileid:mapping = fsname gpfs:sharemodes = No -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] AD and Samba
I am new to samba and we have few earlier versions of ver_3 installed on some old *nix system. I need W2K3-AD domain user to be able to access files on this systems. I 've read in many documentations that version 3 and above can easily be intergrated into AD domain, but is there anyway I could provide file-access to older version. I am not partaining to intregrating these old system into the AD-domain, so I do not if a WINS-server would be a solution. Any Ideas? Thanks, topokin -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] ad and samba and a share - pam needed?
Okay, I think I am finally joined to a domain in ad with aix server ( I dumped mit kerberos and used heimdal instead, which worked great. I can wbinfo -u/-g users and groups and I see everything in my ad realm. I was trying to do a test share, but I am not sure why I cannot connect: My user exists on the unix box and the same name exists on the ad server. The share was: [samba] path = /usr/local/samba/test valid users = DOMAIN/mylogin I tried to type chown DOMAIN/mylogin /usr/local/samba/test, but that does not work. Did I need pam to allow me to do things like this? David Shapiro Unix Team Lead 919-765-2011 -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] AD and Samba BDC
On Tue, 2006-01-24 at 13:57 -0200, Marcelo H. Terres wrote: > Hi. > > I don't find a way to make a Samba BDC replicate an AD Server. I need to > authenticate in Samba BDC if my link with AD PDC goes down. I read that it > is not possible. This is not possible with Samba3. > Is this true ? Samba 4 will do this ? Samba4 has been demonstrated to 'take over' an AD domain, but we don't currently process continuous operation of a BDC (ie receiving updates as account change). I don't know what other consequences of running both Win2k3 and Samba4 in the same domain, as domain controllers will be. Andrew Bartlett -- Andrew Bartletthttp://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org Student Network Administrator, Hawker College http://hawkerc.net signature.asc Description: This is a digitally signed message part -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] AD and Samba BDC
Hi. I don't find a way to make a Samba BDC replicate an AD Server. I need to authenticate in Samba BDC if my link with AD PDC goes down. I read that it is not possible. Is this true ? Samba 4 will do this ? Thanks, **-- Marcelo H. Terres [EMAIL PROTECTED] -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] AD and Samba File Server 2
bytheway Samba is 3.0.0 RC 4 -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] AD and Samba File Server
Hi All, We have an Active Directory Domain and we want a SMB file server that give permissions depending on the Active Directory.. For example we want to give X user to RW to Foo1 directory but no to read Foo2 directory and Give Y user RW both Foo1 and Foo2 directories. And X,Y are AD users... How can we achive this. Any help is very valuable.. Thanks Burak Bilinen virusler icin taramasi yapildi. Scanned for known viruses. -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba