[Samba] failed to get machine password for account samba pdc + ldap
I have th next problen when a machine is already on in a mi domain after a few day this messages begin in /var/log/log. [2012/10/04 09:51:51.004275, 0] rpc_server/srv_netlog_nt.c:692(_netr_ServerAuthenticate3) _netr_ServerAuthenticate3: failed to get machine password for account PCU1$: NT_STATUS_ACCESS_DENIED [2012/10/04 09:51:55.741838, 0] rpc_server/srv_netlog_nt.c:475(get_md4pw) get_md4pw: Workstation PCUIOZR03TN07$: no account in domain [2012/10/04 09:51:55.741883, 0] rpc_server/srv_netlog_nt.c:692(_netr_ServerAuthenticate3) _netr_ServerAuthenticate3: failed to get machine password for account PCU$: NT_STATUS_ACCESS_DENIED [2012/10/04 09:51:55.744344, 0] rpc_server/srv_netlog_nt.c:475(get_md4pw) get_md4pw: Workstation PCUIOZR03TN07$: no account in domain [2012/10/04 09:51:55.744371, 0] rpc_server/srv_netlog_nt.c:692(_netr_ServerAuthenticate3) _netr_ServerAuthenticate3: failed to get machine password for account PCU333$: NT_STATUS_ACCESS_DENIED [2012/10/04 09:51:55.747119, 0] rpc_server/srv_netlog_nt.c:475(get_md4pw) get_md4pw: Workstation PCUIOZR03TN07$: no account in domain [2012/10/04 09:51:55.747150, 0] rpc_server/srv_netlog_nt.c:692(_netr_ServerAuthenticate3) _netr_ServerAuthenticate3: failed to get machine password for account PCU4$: NT_STATUS_ACCESS_DENIED I have the same error with th other pc in my domain if someone have a solution ??? thanks The strange thing is that the machines are on the domain in the LDAP when you query the active directory returns the PC Information -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] samba PDC + ldap: segfault in uid_to_sid/_nss_ldap_getpwuid_r
All, on a fairly large (73 TB XFS) file server running CentOS 6.2, samba 3.5.10-116.el6_2 I see pretty frequently backtraces like this one: May 11 15:54:19 vrfs001 smbd[11709]: [2012/05/11 15:54:19.793851, 0] lib/fault.c:46(fault_report) May 11 15:54:19 vrfs001 smbd[11709]: === May 11 15:54:19 vrfs001 smbd[11709]: [2012/05/11 15:54:19.793921, 0] lib/fault.c:47(fault_report) May 11 15:54:19 vrfs001 smbd[11709]: INTERNAL ERROR: Signal 11 in pid 11709 (3.5.10-116.el6_2.slrdbg2) May 11 15:54:19 vrfs001 smbd[11709]: Please read the Trouble-Shooting section of the Samba3-HOWTO May 11 15:54:19 vrfs001 smbd[11709]: [2012/05/11 15:54:19.793947, 0] lib/fault.c:49(fault_report) May 11 15:54:19 vrfs001 smbd[11709]: May 11 15:54:19 vrfs001 smbd[11709]: From: http://www.samba.org/samba/docs/Samba3-HOWTO.pdf May 11 15:54:19 vrfs001 smbd[11709]: [2012/05/11 15:54:19.793982, 0] lib/fault.c:50(fault_report) May 11 15:54:19 vrfs001 smbd[11709]: === May 11 15:54:19 vrfs001 smbd[11709]: [2012/05/11 15:54:19.794010, 0] lib/util.c:1490(smb_panic) May 11 15:54:19 vrfs001 smbd[11709]: PANIC (pid 11709): internal error May 11 15:54:19 vrfs001 smbd[11709]: [2012/05/11 15:54:19.826895, 0] lib/util.c:1594(log_stack_trace) May 11 15:54:19 vrfs001 smbd[11709]: BACKTRACE: 29 stack frames: May 11 15:54:19 vrfs001 smbd[11709]:#0 smbd(log_stack_trace+0x1a) [0x7fae111cc8aa] May 11 15:54:19 vrfs001 smbd[11709]:#1 smbd(smb_panic+0x1f) [0x7fae111cc96f] May 11 15:54:19 vrfs001 smbd[11709]:#2 smbd(+0x36b26d) [0x7fae111bc26d] May 11 15:54:19 vrfs001 smbd[11709]:#3 /lib64/libc.so.6(+0x32900) [0x7fae0e030900] May 11 15:54:19 vrfs001 smbd[11709]:#4 /lib64/libnss_ldap.so.2(_nss_ldap_getpwuid_r+0x15d) [0x7fae03586a6d] May 11 15:54:19 vrfs001 smbd[11709]:#5 /lib64/libc.so.6(getpwuid_r+0xdd) [0x7fae0e0a84ed] May 11 15:54:19 vrfs001 smbd[11709]:#6 /lib64/libc.so.6(getpwuid+0x6f) [0x7fae0e0a7ddf] May 11 15:54:19 vrfs001 smbd[11709]:#7 smbd(+0x31bd5d) [0x7fae1116cd5d] May 11 15:54:19 vrfs001 smbd[11709]:#8 smbd(+0x32174f) [0x7fae1117274f] May 11 15:54:19 vrfs001 smbd[11709]:#9 smbd(uid_to_sid+0x10b) [0x7fae1117291b] May 11 15:54:19 vrfs001 smbd[11709]:#10 smbd(create_file_sids+0x1f) [0x7fae10facd0f] May 11 15:54:19 vrfs001 smbd[11709]:#11 smbd(+0x164689) [0x7fae10fb5689] May 11 15:54:19 vrfs001 smbd[11709]:#12 smbd(posix_get_nt_acl+0x10b) [0x7fae10fb63fb] May 11 15:54:19 vrfs001 smbd[11709]:#13 smbd(+0x1872bd) [0x7fae10fd82bd] May 11 15:54:19 vrfs001 smbd[11709]:#14 smbd(smb_vfs_call_get_nt_acl+0x2d) [0x7fae10fa7b9d] May 11 15:54:19 vrfs001 smbd[11709]:#15 smbd(can_access_file_acl+0x6f) [0x7fae10fc7d1f] May 11 15:54:19 vrfs001 smbd[11709]:#16 smbd(reply_ntcreate_and_X+0xf25) [0x7fae10f69a65] May 11 15:54:19 vrfs001 smbd[11709]:#17 smbd(+0x1690f5) [0x7fae10fba0f5] May 11 15:54:19 vrfs001 smbd[11709]:#18 smbd(+0x169497) [0x7fae10fba497] May 11 15:54:19 vrfs001 smbd[11709]:#19 smbd(+0x1699f8) [0x7fae10fba9f8] May 11 15:54:19 vrfs001 smbd[11709]:#20 smbd(run_events+0x22b) [0x7fae111dcbbb] May 11 15:54:19 vrfs001 smbd[11709]:#21 smbd(smbd_process+0x82b) [0x7fae10fb966b] May 11 15:54:19 vrfs001 smbd[11709]:#22 smbd(+0x678fce) [0x7fae114c9fce] May 11 15:54:19 vrfs001 smbd[11709]:#23 smbd(run_events+0x22b) [0x7fae111dcbbb] May 11 15:54:19 vrfs001 smbd[11709]:#24 smbd(+0x38bee1) [0x7fae111dcee1] May 11 15:54:19 vrfs001 smbd[11709]:#25 smbd(_tevent_loop_once+0x90) [0x7fae111dd2c0] May 11 15:54:19 vrfs001 smbd[11709]:#26 smbd(main+0xb7b) [0x7fae114cad2b] May 11 15:54:19 vrfs001 smbd[11709]:#27 /lib64/libc.so.6(__libc_start_main+0xfd) [0x7fae0e01ccdd] May 11 15:54:19 vrfs001 smbd[11709]:#28 smbd(+0xea849) [0x7fae10f3b849] May 11 15:54:19 vrfs001 smbd[11709]: [2012/05/11 15:54:19.827188, 0] lib/fault.c:326(dump_core) May 11 15:54:19 vrfs001 smbd[11709]: dumping core in /var/log/samba/cores/smbd pwuid information is stored in OpenLDAP on this machine - could this be related? anyone ever seen this - any clue how to debug this further? thanks, guenter -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] problem joining WinXP machine to samba PDC+LDAP environment
Quoting Daniel Müller muel...@tropenklinik.de: I had a test system running with the same rpms. Did the setup as described and could not change user passwords and sync things the way it should to my ldap slave. In the end I recognized I had to run winbind on the pdc!? And after all I was missing a real step by step setup. So I returned to smba/ldap smbldaptools setting up my system in an hour(Master - Master Repication). If you can post your editposix setup to me I would try a second time :-) --- EDV Daniel Müller Leitung EDV Tropenklinik Paul-Lechler-Krankenhaus Paul-Lechler-Str. 24 72076 Tübingen Tel.: 07071/206-463, Fax: 07071/206-499 eMail: muel...@tropenklinik.de Internet: www.tropenklinik.de --- -Ursprüngliche Nachricht- Von: Mike Brady [mailto:mike.br...@devnull.net.nz] Gesendet: Mittwoch, 23. Februar 2011 19:18 An: muel...@tropenklinik.de Cc: 'Jon Detert'; samba@lists.samba.org Betreff: Re: AW: [Samba] problem joining WinXP machine to samba PDC+LDAP environment Quoting Daniel Müller muel...@tropenklinik.de: ldapsam:editposix-Is as I can tell not a good solution whenever I tried this it did not Work right. And there is nowhere a good and new howto about this feature. No description goes into the depth. --- EDV Daniel Müller Leitung EDV Tropenklinik Paul-Lechler-Krankenhaus Paul-Lechler-Str. 24 72076 Tübingen Tel.: 07071/206-463, Fax: 07071/206-499 eMail: muel...@tropenklinik.de Internet: www.tropenklinik.de --- -Ursprüngliche Nachricht- Von: samba-boun...@lists.samba.org [mailto:samba-boun...@lists.samba.org] Im Auftrag von Mike Brady Gesendet: Mittwoch, 23. Februar 2011 09:17 An: Jon Detert Cc: samba@lists.samba.org Betreff: Re: [Samba] problem joining WinXP machine to samba PDC+LDAP environment Quoting Jon Detert jdet...@infinityhealthcare.com: On Mon, Feb 21, 2011 at 4:15 PM, Mike Brady mike.br...@devnull.net.nz wrote: Quoting Jon Detert jdet...@infinityhealthcare.com: Hello, I can't join a winxp box to my samba domain. I just have one samba server, meant to act as a PDC for domain='CHI'. Any ideas how to troubleshoot and/or remedy? Thanks, Jon Context: samba v3.3.8 on CentOS v5.5, using ldapsam backend. Domainname ='CHI'. smbldap-tools v0.9.6. I 'populated' the ldap with 'smbldap-populate'. I try to join the winxp box, authenticating to the domain as user 'jdetert', which is a member of the 'Administrators' group: # smbldap-groupshow Administrators dn: cn=Administrators,ou=Groups,dc=infinityhealthcare,dc=com objectClass: top,posixGroup,sambaGroupMapping gidNumber: 544 cn: Administrators description: Netbios Domain Members can fully administer the computer/sambaDomainName sambaSID: S-1-5-32-544 sambaGroupType: 5 displayName: Administrators memberUid: jdetert,root What happens: -- a failure dialog window pops up on the winxp box with this message: 'The following error occurred attempting to join the domain CHI: The user name could not be found.' -- snip -- I am working through a similar setup at the moment. Looking at the smbldap-useradd source, status 9 is user must not exist in LDAP, so I assume from that that the workstation userid already exists? Turns out you are correct. So, I deleted the 'user'=testfsclient$ from the ou=Computers, and retried, but it failed with the same error, and it re-created the user object. Any ideas how/why joining the domain is not fully working? Thanks, Jon Jon A couple more things: 1) smbldap-populate initializes the sambaGroupType for all the S-1-5-32-* SIDs to 5. This is incorrect. It should be 4, but this probably isn't causing this issue. 2) I think that root needs to be in the Domain Admins group in order to join a machine to the domain, not the Administrators group which is a local group. At least that is how I am set up. 3) Depending on the details of your implementation you may not need to use smbldap-tools at all. Have a look at the ldapsam:editposix and ldapsam:trusted on the smb.conf man page. Note that using ldapsam:editposix is one case where winbind is required on a Samba PDC. Mike This message was sent using IMP, the Internet Messaging Program. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba Daniel Exactly how did ldapsam:editposix not work right? I thought that the smb.conf man page described things well enough. I have converted my test set up from using smbldap-tools to using ldapsam:posixedit and so far it is doing everything that I was using smbldap-tools for correctly. I am using the SerNet 3.5.6 RPMs. Mike This message was sent using IMP
Re: [Samba] problem joining WinXP machine to samba PDC+LDAP environment
Quoting Jon Detert jdet...@infinityhealthcare.com: On Mon, Feb 21, 2011 at 4:15 PM, Mike Brady mike.br...@devnull.net.nz wrote: Quoting Jon Detert jdet...@infinityhealthcare.com: Hello, I can't join a winxp box to my samba domain. I just have one samba server, meant to act as a PDC for domain='CHI'. Any ideas how to troubleshoot and/or remedy? Thanks, Jon Context: samba v3.3.8 on CentOS v5.5, using ldapsam backend. Domainname ='CHI'. smbldap-tools v0.9.6. I 'populated' the ldap with 'smbldap-populate'. I try to join the winxp box, authenticating to the domain as user 'jdetert', which is a member of the 'Administrators' group: # smbldap-groupshow Administrators dn: cn=Administrators,ou=Groups,dc=infinityhealthcare,dc=com objectClass: top,posixGroup,sambaGroupMapping gidNumber: 544 cn: Administrators description: Netbios Domain Members can fully administer the computer/sambaDomainName sambaSID: S-1-5-32-544 sambaGroupType: 5 displayName: Administrators memberUid: jdetert,root What happens: -- a failure dialog window pops up on the winxp box with this message: 'The following error occurred attempting to join the domain CHI: The user name could not be found.' -- snip -- I am working through a similar setup at the moment. Looking at the smbldap-useradd source, status 9 is user must not exist in LDAP, so I assume from that that the workstation userid already exists? Turns out you are correct. So, I deleted the 'user'=testfsclient$ from the ou=Computers, and retried, but it failed with the same error, and it re-created the user object. Any ideas how/why joining the domain is not fully working? Thanks, Jon Jon A couple more things: 1) smbldap-populate initializes the sambaGroupType for all the S-1-5-32-* SIDs to 5. This is incorrect. It should be 4, but this probably isn't causing this issue. 2) I think that root needs to be in the Domain Admins group in order to join a machine to the domain, not the Administrators group which is a local group. At least that is how I am set up. 3) Depending on the details of your implementation you may not need to use smbldap-tools at all. Have a look at the ldapsam:editposix and ldapsam:trusted on the smb.conf man page. Note that using ldapsam:editposix is one case where winbind is required on a Samba PDC. Mike This message was sent using IMP, the Internet Messaging Program. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] problem joining WinXP machine to samba PDC+LDAP environment
ldapsam:editposix-Is as I can tell not a good solution whenever I tried this it did not Work right. And there is nowhere a good and new howto about this feature. No description goes into the depth. --- EDV Daniel Müller Leitung EDV Tropenklinik Paul-Lechler-Krankenhaus Paul-Lechler-Str. 24 72076 Tübingen Tel.: 07071/206-463, Fax: 07071/206-499 eMail: muel...@tropenklinik.de Internet: www.tropenklinik.de --- -Ursprüngliche Nachricht- Von: samba-boun...@lists.samba.org [mailto:samba-boun...@lists.samba.org] Im Auftrag von Mike Brady Gesendet: Mittwoch, 23. Februar 2011 09:17 An: Jon Detert Cc: samba@lists.samba.org Betreff: Re: [Samba] problem joining WinXP machine to samba PDC+LDAP environment Quoting Jon Detert jdet...@infinityhealthcare.com: On Mon, Feb 21, 2011 at 4:15 PM, Mike Brady mike.br...@devnull.net.nz wrote: Quoting Jon Detert jdet...@infinityhealthcare.com: Hello, I can't join a winxp box to my samba domain. I just have one samba server, meant to act as a PDC for domain='CHI'. Any ideas how to troubleshoot and/or remedy? Thanks, Jon Context: samba v3.3.8 on CentOS v5.5, using ldapsam backend. Domainname ='CHI'. smbldap-tools v0.9.6. I 'populated' the ldap with 'smbldap-populate'. I try to join the winxp box, authenticating to the domain as user 'jdetert', which is a member of the 'Administrators' group: # smbldap-groupshow Administrators dn: cn=Administrators,ou=Groups,dc=infinityhealthcare,dc=com objectClass: top,posixGroup,sambaGroupMapping gidNumber: 544 cn: Administrators description: Netbios Domain Members can fully administer the computer/sambaDomainName sambaSID: S-1-5-32-544 sambaGroupType: 5 displayName: Administrators memberUid: jdetert,root What happens: -- a failure dialog window pops up on the winxp box with this message: 'The following error occurred attempting to join the domain CHI: The user name could not be found.' -- snip -- I am working through a similar setup at the moment. Looking at the smbldap-useradd source, status 9 is user must not exist in LDAP, so I assume from that that the workstation userid already exists? Turns out you are correct. So, I deleted the 'user'=testfsclient$ from the ou=Computers, and retried, but it failed with the same error, and it re-created the user object. Any ideas how/why joining the domain is not fully working? Thanks, Jon Jon A couple more things: 1) smbldap-populate initializes the sambaGroupType for all the S-1-5-32-* SIDs to 5. This is incorrect. It should be 4, but this probably isn't causing this issue. 2) I think that root needs to be in the Domain Admins group in order to join a machine to the domain, not the Administrators group which is a local group. At least that is how I am set up. 3) Depending on the details of your implementation you may not need to use smbldap-tools at all. Have a look at the ldapsam:editposix and ldapsam:trusted on the smb.conf man page. Note that using ldapsam:editposix is one case where winbind is required on a Samba PDC. Mike This message was sent using IMP, the Internet Messaging Program. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] problem joining WinXP machine to samba PDC+LDAP environment
Quoting Daniel Müller muel...@tropenklinik.de: ldapsam:editposix-Is as I can tell not a good solution whenever I tried this it did not Work right. And there is nowhere a good and new howto about this feature. No description goes into the depth. --- EDV Daniel Müller Leitung EDV Tropenklinik Paul-Lechler-Krankenhaus Paul-Lechler-Str. 24 72076 Tübingen Tel.: 07071/206-463, Fax: 07071/206-499 eMail: muel...@tropenklinik.de Internet: www.tropenklinik.de --- -Ursprüngliche Nachricht- Von: samba-boun...@lists.samba.org [mailto:samba-boun...@lists.samba.org] Im Auftrag von Mike Brady Gesendet: Mittwoch, 23. Februar 2011 09:17 An: Jon Detert Cc: samba@lists.samba.org Betreff: Re: [Samba] problem joining WinXP machine to samba PDC+LDAP environment Quoting Jon Detert jdet...@infinityhealthcare.com: On Mon, Feb 21, 2011 at 4:15 PM, Mike Brady mike.br...@devnull.net.nz wrote: Quoting Jon Detert jdet...@infinityhealthcare.com: Hello, I can't join a winxp box to my samba domain. I just have one samba server, meant to act as a PDC for domain='CHI'. Any ideas how to troubleshoot and/or remedy? Thanks, Jon Context: samba v3.3.8 on CentOS v5.5, using ldapsam backend. Domainname ='CHI'. smbldap-tools v0.9.6. I 'populated' the ldap with 'smbldap-populate'. I try to join the winxp box, authenticating to the domain as user 'jdetert', which is a member of the 'Administrators' group: # smbldap-groupshow Administrators dn: cn=Administrators,ou=Groups,dc=infinityhealthcare,dc=com objectClass: top,posixGroup,sambaGroupMapping gidNumber: 544 cn: Administrators description: Netbios Domain Members can fully administer the computer/sambaDomainName sambaSID: S-1-5-32-544 sambaGroupType: 5 displayName: Administrators memberUid: jdetert,root What happens: -- a failure dialog window pops up on the winxp box with this message: 'The following error occurred attempting to join the domain CHI: The user name could not be found.' -- snip -- I am working through a similar setup at the moment. Looking at the smbldap-useradd source, status 9 is user must not exist in LDAP, so I assume from that that the workstation userid already exists? Turns out you are correct. So, I deleted the 'user'=testfsclient$ from the ou=Computers, and retried, but it failed with the same error, and it re-created the user object. Any ideas how/why joining the domain is not fully working? Thanks, Jon Jon A couple more things: 1) smbldap-populate initializes the sambaGroupType for all the S-1-5-32-* SIDs to 5. This is incorrect. It should be 4, but this probably isn't causing this issue. 2) I think that root needs to be in the Domain Admins group in order to join a machine to the domain, not the Administrators group which is a local group. At least that is how I am set up. 3) Depending on the details of your implementation you may not need to use smbldap-tools at all. Have a look at the ldapsam:editposix and ldapsam:trusted on the smb.conf man page. Note that using ldapsam:editposix is one case where winbind is required on a Samba PDC. Mike This message was sent using IMP, the Internet Messaging Program. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba Daniel Exactly how did ldapsam:editposix not work right? I thought that the smb.conf man page described things well enough. I have converted my test set up from using smbldap-tools to using ldapsam:posixedit and so far it is doing everything that I was using smbldap-tools for correctly. I am using the SerNet 3.5.6 RPMs. Mike This message was sent using IMP, the Internet Messaging Program. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] problem joining WinXP machine to samba PDC+LDAP environment
On 23:39:39 wrote Mike Brady: Daniel Exactly how did ldapsam:editposix not work right? I thought that the smb.conf man page described things well enough. I have converted my test set up from using smbldap-tools to using ldapsam:posixedit and so far it is doing everything that I was using smbldap-tools for correctly. I am using the SerNet 3.5.6 RPMs. Mike I have two installions with ldapsam:editposix on debian lenny, samba 3.4.5. Both are running fine. No problems. -- Gruss Harry Jede -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] problem joining WinXP machine to samba PDC+LDAP environment
I had a test system running with the same rpms. Did the setup as described and could not change user passwords and sync things the way it should to my ldap slave. In the end I recognized I had to run winbind on the pdc!? And after all I was missing a real step by step setup. So I returned to smba/ldap smbldaptools setting up my system in an hour(Master - Master Repication). If you can post your editposix setup to me I would try a second time :-) --- EDV Daniel Müller Leitung EDV Tropenklinik Paul-Lechler-Krankenhaus Paul-Lechler-Str. 24 72076 Tübingen Tel.: 07071/206-463, Fax: 07071/206-499 eMail: muel...@tropenklinik.de Internet: www.tropenklinik.de --- -Ursprüngliche Nachricht- Von: Mike Brady [mailto:mike.br...@devnull.net.nz] Gesendet: Mittwoch, 23. Februar 2011 19:18 An: muel...@tropenklinik.de Cc: 'Jon Detert'; samba@lists.samba.org Betreff: Re: AW: [Samba] problem joining WinXP machine to samba PDC+LDAP environment Quoting Daniel Müller muel...@tropenklinik.de: ldapsam:editposix-Is as I can tell not a good solution whenever I tried this it did not Work right. And there is nowhere a good and new howto about this feature. No description goes into the depth. --- EDV Daniel Müller Leitung EDV Tropenklinik Paul-Lechler-Krankenhaus Paul-Lechler-Str. 24 72076 Tübingen Tel.: 07071/206-463, Fax: 07071/206-499 eMail: muel...@tropenklinik.de Internet: www.tropenklinik.de --- -Ursprüngliche Nachricht- Von: samba-boun...@lists.samba.org [mailto:samba-boun...@lists.samba.org] Im Auftrag von Mike Brady Gesendet: Mittwoch, 23. Februar 2011 09:17 An: Jon Detert Cc: samba@lists.samba.org Betreff: Re: [Samba] problem joining WinXP machine to samba PDC+LDAP environment Quoting Jon Detert jdet...@infinityhealthcare.com: On Mon, Feb 21, 2011 at 4:15 PM, Mike Brady mike.br...@devnull.net.nz wrote: Quoting Jon Detert jdet...@infinityhealthcare.com: Hello, I can't join a winxp box to my samba domain. I just have one samba server, meant to act as a PDC for domain='CHI'. Any ideas how to troubleshoot and/or remedy? Thanks, Jon Context: samba v3.3.8 on CentOS v5.5, using ldapsam backend. Domainname ='CHI'. smbldap-tools v0.9.6. I 'populated' the ldap with 'smbldap-populate'. I try to join the winxp box, authenticating to the domain as user 'jdetert', which is a member of the 'Administrators' group: # smbldap-groupshow Administrators dn: cn=Administrators,ou=Groups,dc=infinityhealthcare,dc=com objectClass: top,posixGroup,sambaGroupMapping gidNumber: 544 cn: Administrators description: Netbios Domain Members can fully administer the computer/sambaDomainName sambaSID: S-1-5-32-544 sambaGroupType: 5 displayName: Administrators memberUid: jdetert,root What happens: -- a failure dialog window pops up on the winxp box with this message: 'The following error occurred attempting to join the domain CHI: The user name could not be found.' -- snip -- I am working through a similar setup at the moment. Looking at the smbldap-useradd source, status 9 is user must not exist in LDAP, so I assume from that that the workstation userid already exists? Turns out you are correct. So, I deleted the 'user'=testfsclient$ from the ou=Computers, and retried, but it failed with the same error, and it re-created the user object. Any ideas how/why joining the domain is not fully working? Thanks, Jon Jon A couple more things: 1) smbldap-populate initializes the sambaGroupType for all the S-1-5-32-* SIDs to 5. This is incorrect. It should be 4, but this probably isn't causing this issue. 2) I think that root needs to be in the Domain Admins group in order to join a machine to the domain, not the Administrators group which is a local group. At least that is how I am set up. 3) Depending on the details of your implementation you may not need to use smbldap-tools at all. Have a look at the ldapsam:editposix and ldapsam:trusted on the smb.conf man page. Note that using ldapsam:editposix is one case where winbind is required on a Samba PDC. Mike This message was sent using IMP, the Internet Messaging Program. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba Daniel Exactly how did ldapsam:editposix not work right? I thought that the smb.conf man page described things well enough. I have converted my test set up from using smbldap-tools to using ldapsam:posixedit and so far it is doing everything that I was using smbldap-tools for correctly. I am using the SerNet 3.5.6 RPMs. Mike This message
Re: [Samba] problem joining WinXP machine to samba PDC+LDAP environment
On Mon, Feb 21, 2011 at 4:15 PM, Mike Brady mike.br...@devnull.net.nz wrote: Quoting Jon Detert jdet...@infinityhealthcare.com: Hello, I can't join a winxp box to my samba domain. I just have one samba server, meant to act as a PDC for domain='CHI'. Any ideas how to troubleshoot and/or remedy? Thanks, Jon Context: samba v3.3.8 on CentOS v5.5, using ldapsam backend. Domainname ='CHI'. smbldap-tools v0.9.6. I 'populated' the ldap with 'smbldap-populate'. I try to join the winxp box, authenticating to the domain as user 'jdetert', which is a member of the 'Administrators' group: # smbldap-groupshow Administrators dn: cn=Administrators,ou=Groups,dc=infinityhealthcare,dc=com objectClass: top,posixGroup,sambaGroupMapping gidNumber: 544 cn: Administrators description: Netbios Domain Members can fully administer the computer/sambaDomainName sambaSID: S-1-5-32-544 sambaGroupType: 5 displayName: Administrators memberUid: jdetert,root What happens: -- a failure dialog window pops up on the winxp box with this message: 'The following error occurred attempting to join the domain CHI: The user name could not be found.' -- snip -- I am working through a similar setup at the moment. Looking at the smbldap-useradd source, status 9 is user must not exist in LDAP, so I assume from that that the workstation userid already exists? Turns out you are correct. So, I deleted the 'user'=testfsclient$ from the ou=Computers, and retried, but it failed with the same error, and it re-created the user object. Any ideas how/why joining the domain is not fully working? Thanks, Jon -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] problem joining WinXP machine to samba PDC+LDAP environment
On Mon, Feb 21, 2011 at 10:14 PM, Jon Detert jdet...@infinityhealthcare.com wrote: I assume that the 'group not found' log entries are not significant, and that '9' was the return code from smbldap-useradd. Anyone know what return code 9 means? Anyone have ideas how to remedy this problem? according to http://leto.net/docs/ldap_error_code.php, it means 'reserved', which may, or may not, shed more light into this. HTH, -- natxo -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] problem joining WinXP machine to samba PDC+LDAP environment
Quoting Natxo Asenjo natxo.ase...@gmail.com: On Mon, Feb 21, 2011 at 10:14 PM, Jon Detert jdet...@infinityhealthcare.com wrote: I assume that the 'group not found' log entries are not significant, and that '9' was the return code from smbldap-useradd. Anyone know what return code 9 means? Anyone have ideas how to remedy this problem? according to http://leto.net/docs/ldap_error_code.php, it means 'reserved', which may, or may not, shed more light into this. HTH, -- natxo -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba Those are LDAP errors. The smbldap-tools return their own set of errors. This message was sent using IMP, the Internet Messaging Program. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] problem joining WinXP machine to samba PDC+LDAP environment
Quoting Jon Detert jdet...@infinityhealthcare.com: On Mon, Feb 21, 2011 at 4:15 PM, Mike Brady mike.br...@devnull.net.nz wrote: Quoting Jon Detert jdet...@infinityhealthcare.com: Hello, I can't join a winxp box to my samba domain. I just have one samba server, meant to act as a PDC for domain='CHI'. Any ideas how to troubleshoot and/or remedy? Thanks, Jon Context: samba v3.3.8 on CentOS v5.5, using ldapsam backend. Domainname ='CHI'. smbldap-tools v0.9.6. I 'populated' the ldap with 'smbldap-populate'. I try to join the winxp box, authenticating to the domain as user 'jdetert', which is a member of the 'Administrators' group: # smbldap-groupshow Administrators dn: cn=Administrators,ou=Groups,dc=infinityhealthcare,dc=com objectClass: top,posixGroup,sambaGroupMapping gidNumber: 544 cn: Administrators description: Netbios Domain Members can fully administer the computer/sambaDomainName sambaSID: S-1-5-32-544 sambaGroupType: 5 displayName: Administrators memberUid: jdetert,root What happens: -- a failure dialog window pops up on the winxp box with this message: 'The following error occurred attempting to join the domain CHI: The user name could not be found.' -- snip -- I am working through a similar setup at the moment. Looking at the smbldap-useradd source, status 9 is user must not exist in LDAP, so I assume from that that the workstation userid already exists? Turns out you are correct. So, I deleted the 'user'=testfsclient$ from the ou=Computers, and retried, but it failed with the same error, and it re-created the user object. Any ideas how/why joining the domain is not fully working? Thanks, Jon Jon The error is returned if there is a successful LDAP query for the machine name anywhere in LDAP. Does the machine name exist somewhere else other than ou=Computers? You could also try running the full smbldap-useradd command as it is logged from the command line and see if it gives any more information. The smldap-user script does print out additional information that Samba doesn't look like it captures in the logs. Mike This message was sent using IMP, the Internet Messaging Program. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] problem joining WinXP machine to samba PDC+LDAP environment
Hello, I can't join a winxp box to my samba domain. I just have one samba server, meant to act as a PDC for domain='CHI'. Any ideas how to troubleshoot and/or remedy? Thanks, Jon Context: samba v3.3.8 on CentOS v5.5, using ldapsam backend. Domainname ='CHI'. smbldap-tools v0.9.6. I 'populated' the ldap with 'smbldap-populate'. I try to join the winxp box, authenticating to the domain as user 'jdetert', which is a member of the 'Administrators' group: # smbldap-groupshow Administrators dn: cn=Administrators,ou=Groups,dc=infinityhealthcare,dc=com objectClass: top,posixGroup,sambaGroupMapping gidNumber: 544 cn: Administrators description: Netbios Domain Members can fully administer the computer/sambaDomainName sambaSID: S-1-5-32-544 sambaGroupType: 5 displayName: Administrators memberUid: jdetert,root What happens: -- a failure dialog window pops up on the winxp box with this message: 'The following error occurred attempting to join the domain CHI: The user name could not be found.' And here are the interesting bits (as far as I can tell) from the samba logs: log.smb [2011/02/21 14:32:07, 2] lib/smbldap_util.c:smbldap_search_domain_info(277) smbldap_search_domain_info: Searching for:[((objectClass=sambaDomain)(sambaDomainName=CHI))] [2011/02/21 14:32:07, 2] lib/smbldap.c:smbldap_open_connection(856) smbldap_open_connection: connection opened [2011/02/21 14:32:07, 3] lib/smbldap.c:smbldap_connect_system(1067) ldap_connect_system: successful connection to the LDAP server [2011/02/21 14:32:07, 4] lib/smbldap.c:smbldap_open(1143) The LDAP server is successfully connected .. [2011/02/21 14:32:07, 4] passdb/pdb_ldap.c:ldapsam_getgroup(2481) ldapsam_getgroup: Did not find group, filter was ((objectClass=sambaGroupMapping)(gidNumber=0)) ... [2011/02/21 14:32:07, 4] passdb/pdb_ldap.c:ldapsam_getgroup(2481) ldapsam_getgroup: Did not find group, filter was ((objectClass=sambaGroupMapping)(sambaSID=S-1-5-32-545)) ... [2011/02/21 14:32:07, 3] lib/privileges.c:get_privileges(63) get_privileges: No privileges assigned to SID [S-1-5-21-3685928793-4148883033-3314734756-500] ... [2011/02/21 14:32:07, 3] lib/privileges.c:get_privileges(63) get_privileges: No privileges assigned to SID [S-1-5-21-3685928793-4148883033-3314734756-501] [2011/02/21 14:32:07, 3] lib/privileges.c:get_privileges(63) get_privileges: No privileges assigned to SID [S-1-5-21-3685928793-4148883033-3314734756-514] [2011/02/21 14:32:07, 3] lib/privileges.c:get_privileges(63) get_privileges: No privileges assigned to SID [S-1-5-2] [2011/02/21 14:32:07, 3] lib/privileges.c:get_privileges(63) get_privileges: No privileges assigned to SID [S-1-5-32-546] /log.smb interesting bits in the log.clientMachineName, where clientMachineName=testfsclient log.testfsclient [2011/02/21 14:32:22, 4] passdb/pdb_ldap.c:ldapsam_getgroup(2481) ldapsam_getgroup: Did not find group, filter was ((objectClass=sambaGroupMapping)(sambaSID=S-1-5-32-545)) [editor's note: that's for the group 'Users'. Also couldn't find groups for S-1-5-2 ('Network'), S-1-1-0 ('Everyone'), and S-1-5-11 ('Authenticated Users').] [2011/02/21 14:32:22, 3] lib/privileges.c:get_privileges(63) get_privileges: No privileges assigned to SID [S-1-5-21-3685928793-4148883033-3314734756-11002] [2011/02/21 14:32:22, 3] lib/privileges.c:get_privileges(63) get_privileges: No privileges assigned to SID [S-1-5-21-3685928793-4148883033-3314734756-11001] [2011/02/21 14:32:22, 3] lib/privileges.c:get_privileges(63) get_privileges: No privileges assigned to SID [S-1-5-2] [2011/02/21 14:32:22, 3] lib/privileges.c:get_privileges(63) get_privileges: No privileges assigned to SID [S-1-5-11] [editor's note: the SID ending in 11002 is the user 'jdetert' that attempted to join the machine, and the SID ending in 11001 is jdetert's primary GID.] [2011/02/21 14:32:22, 4] passdb/pdb_ldap.c:ldapsam_getsampwnam(1519) ldapsam_getsampwnam: Unable to locate user [TESTFSCLIENT$] count=0 [editor's note: 'TESTFSCLIENT' is the name of the machine i was trying to join.] [2011/02/21 14:32:22, 4] passdb/pdb_ldap.c:ldapsam_getgroup(2481) ldapsam_getgroup: Did not find group, filter was ((objectClass=sambaGroupMapping)(|(displayName=TESTFSCLIENT$)(cn=TESTFSCLIENT$))) [2011/02/21 14:32:22, 0] passdb/pdb_interface.c:pdb_default_create_user(342) _samr_create_user: Running the command `/usr/sbin/smbldap-useradd -w -c Workstation (testfsclient$) testfsclient$' gave 9 [2011/02/21 14:32:22, 3] passdb/pdb_interface.c:pdb_default_create_user(359) pdb_default_create_user: failed to create a new user structure: NT_STATUS_NO_SUCH_USER /log.testfsclient I assume that the 'group not found' log entries are not significant, and that '9' was the return code from smbldap-useradd. Anyone know what return code 9 means? Anyone have ideas how to remedy this problem? Thanks, Jon -- To unsubscribe from this list go to the following URL and
Re: [Samba] problem joining WinXP machine to samba PDC+LDAP environment
Quoting Jon Detert jdet...@infinityhealthcare.com: Hello, I can't join a winxp box to my samba domain. I just have one samba server, meant to act as a PDC for domain='CHI'. Any ideas how to troubleshoot and/or remedy? Thanks, Jon Context: samba v3.3.8 on CentOS v5.5, using ldapsam backend. Domainname ='CHI'. smbldap-tools v0.9.6. I 'populated' the ldap with 'smbldap-populate'. I try to join the winxp box, authenticating to the domain as user 'jdetert', which is a member of the 'Administrators' group: # smbldap-groupshow Administrators dn: cn=Administrators,ou=Groups,dc=infinityhealthcare,dc=com objectClass: top,posixGroup,sambaGroupMapping gidNumber: 544 cn: Administrators description: Netbios Domain Members can fully administer the computer/sambaDomainName sambaSID: S-1-5-32-544 sambaGroupType: 5 displayName: Administrators memberUid: jdetert,root What happens: -- a failure dialog window pops up on the winxp box with this message: 'The following error occurred attempting to join the domain CHI: The user name could not be found.' And here are the interesting bits (as far as I can tell) from the samba logs: log.smb [2011/02/21 14:32:07, 2] lib/smbldap_util.c:smbldap_search_domain_info(277) smbldap_search_domain_info: Searching for:[((objectClass=sambaDomain)(sambaDomainName=CHI))] [2011/02/21 14:32:07, 2] lib/smbldap.c:smbldap_open_connection(856) smbldap_open_connection: connection opened [2011/02/21 14:32:07, 3] lib/smbldap.c:smbldap_connect_system(1067) ldap_connect_system: successful connection to the LDAP server [2011/02/21 14:32:07, 4] lib/smbldap.c:smbldap_open(1143) The LDAP server is successfully connected .. [2011/02/21 14:32:07, 4] passdb/pdb_ldap.c:ldapsam_getgroup(2481) ldapsam_getgroup: Did not find group, filter was ((objectClass=sambaGroupMapping)(gidNumber=0)) ... [2011/02/21 14:32:07, 4] passdb/pdb_ldap.c:ldapsam_getgroup(2481) ldapsam_getgroup: Did not find group, filter was ((objectClass=sambaGroupMapping)(sambaSID=S-1-5-32-545)) ... [2011/02/21 14:32:07, 3] lib/privileges.c:get_privileges(63) get_privileges: No privileges assigned to SID [S-1-5-21-3685928793-4148883033-3314734756-500] ... [2011/02/21 14:32:07, 3] lib/privileges.c:get_privileges(63) get_privileges: No privileges assigned to SID [S-1-5-21-3685928793-4148883033-3314734756-501] [2011/02/21 14:32:07, 3] lib/privileges.c:get_privileges(63) get_privileges: No privileges assigned to SID [S-1-5-21-3685928793-4148883033-3314734756-514] [2011/02/21 14:32:07, 3] lib/privileges.c:get_privileges(63) get_privileges: No privileges assigned to SID [S-1-5-2] [2011/02/21 14:32:07, 3] lib/privileges.c:get_privileges(63) get_privileges: No privileges assigned to SID [S-1-5-32-546] /log.smb interesting bits in the log.clientMachineName, where clientMachineName=testfsclient log.testfsclient [2011/02/21 14:32:22, 4] passdb/pdb_ldap.c:ldapsam_getgroup(2481) ldapsam_getgroup: Did not find group, filter was ((objectClass=sambaGroupMapping)(sambaSID=S-1-5-32-545)) [editor's note: that's for the group 'Users'. Also couldn't find groups for S-1-5-2 ('Network'), S-1-1-0 ('Everyone'), and S-1-5-11 ('Authenticated Users').] [2011/02/21 14:32:22, 3] lib/privileges.c:get_privileges(63) get_privileges: No privileges assigned to SID [S-1-5-21-3685928793-4148883033-3314734756-11002] [2011/02/21 14:32:22, 3] lib/privileges.c:get_privileges(63) get_privileges: No privileges assigned to SID [S-1-5-21-3685928793-4148883033-3314734756-11001] [2011/02/21 14:32:22, 3] lib/privileges.c:get_privileges(63) get_privileges: No privileges assigned to SID [S-1-5-2] [2011/02/21 14:32:22, 3] lib/privileges.c:get_privileges(63) get_privileges: No privileges assigned to SID [S-1-5-11] [editor's note: the SID ending in 11002 is the user 'jdetert' that attempted to join the machine, and the SID ending in 11001 is jdetert's primary GID.] [2011/02/21 14:32:22, 4] passdb/pdb_ldap.c:ldapsam_getsampwnam(1519) ldapsam_getsampwnam: Unable to locate user [TESTFSCLIENT$] count=0 [editor's note: 'TESTFSCLIENT' is the name of the machine i was trying to join.] [2011/02/21 14:32:22, 4] passdb/pdb_ldap.c:ldapsam_getgroup(2481) ldapsam_getgroup: Did not find group, filter was ((objectClass=sambaGroupMapping)(|(displayName=TESTFSCLIENT$)(cn=TESTFSCLIENT$))) [2011/02/21 14:32:22, 0] passdb/pdb_interface.c:pdb_default_create_user(342) _samr_create_user: Running the command `/usr/sbin/smbldap-useradd -w -c Workstation (testfsclient$) testfsclient$' gave 9 [2011/02/21 14:32:22, 3] passdb/pdb_interface.c:pdb_default_create_user(359) pdb_default_create_user: failed to create a new user structure: NT_STATUS_NO_SUCH_USER /log.testfsclient I assume that the 'group not found' log entries are not significant, and that '9' was the return code from smbldap-useradd. Anyone know what return code 9 means? Anyone have ideas how to remedy this problem? Thanks, Jon -- To
[Samba] Debian Lenny: Samba PDC + LDAP
Hey out there. I have to get my PDC to work now, and I'm so close to desperation that I have taken my self in looking at a windows server. My problem is that I have to get roaming profile for some Windows XP Pro clients to work, and I have a Debian based server solution. The problem is that I can't see where I do something rung... When I run smbldap-useradd -w testing$ it gets imported to LDAP, when I try to connect my client, Samba connects to LDAP, when I do an LDAP-search I get the info that I wants, when I test to see if my Admin user is possible to find from UNIX it returns the right thing, what have I missed.? # getent passwd Admin Admin:x:0:0:Netbios Domain Administrator:/home/Admin:/bin/false LDAP-search string: http://pastebin.com/m6d9f595a Log when I try to join a client: http://pastebin.com/m697c7f35 Samba-conf: http://pastebin.com/m188ee119 slapd.conf: http://pastebin.com/m6f13648a schema.conf: http://pastebin.com/m71cca406 ldap.conf: http://pastebin.com/m52b39761 nsswitch.conf: http://pastebin.com/m7d2dc9b0 System info: Clean installed Debian Lenny (5.0.3) Clean installed Samba 3.2.5 + Winbind 3.2.5 Clean installed OpenLDAP 2.4.11 (slapd) Debian default smbldap-tools (smbldap-populate is working and have populated LDAP without problems) if there is something I have forgotten please just ask for it, I'm still close to be desperate.! -- Med Venlig Hilsen / Best regards Henrik Dige Semark -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Debian Lenny: Samba PDC + LDAP
I have just checked my PAM.d settings. http://pastebin.com/m6844b37b and I can't see what might be rung here. I will test if I can logon to the console when I get my hands on the server, do I have to reboot when pam.d settings have changed, is this case I will wait to I'm next to the server. Its not possible to logon to a samba-share with the Admin user, error in LDAP, NT_STATUS_NO_SUCH_USER --- Med Venlig Hilsen / Best regards Henrik Dige Semark David Harrison skrev: The error log you posted seems to suggest an error with your PAM/LDAP configuration. The error messages you are seeing are exactly the same as these people: http://lists.samba.org/archive/samba/2004-November/095960.html http://lists.samba.org/archive/samba/2006-December/127799.html Take a second look at how this is all configured. If it is working you should be able to login to the local server console using your LDAP-based credentials. Likewise run some tests just connecting to a Samba share as Admin. If both these things are working then your domain logons should be happier. David On Mon, Feb 15, 2010 at 9:29 PM, Henrik Dige Semark h...@semark.dk mailto:h...@semark.dk wrote: Hey out there. I have to get my PDC to work now, and I'm so close to desperation that I have taken my self in looking at a windows server. My problem is that I have to get roaming profile for some Windows XP Pro clients to work, and I have a Debian based server solution. The problem is that I can't see where I do something rung... When I run smbldap-useradd -w testing$ it gets imported to LDAP, when I try to connect my client, Samba connects to LDAP, when I do an LDAP-search I get the info that I wants, when I test to see if my Admin user is possible to find from UNIX it returns the right thing, what have I missed.? # getent passwd Admin Admin:x:0:0:Netbios Domain Administrator:/home/Admin:/bin/false LDAP-search string: http://pastebin.com/m6d9f595a Log when I try to join a client: http://pastebin.com/m697c7f35 Samba-conf http://pastebin.com/m697c7f35%0ASamba-conf: http://pastebin.com/m188ee119 slapd.conf: http://pastebin.com/m6f13648a schema.conf: http://pastebin.com/m71cca406 ldap.conf: http://pastebin.com/m52b39761 nsswitch.conf: http://pastebin.com/m7d2dc9b0 System info: Clean installed Debian Lenny (5.0.3) Clean installed Samba 3.2.5 + Winbind 3.2.5 Clean installed OpenLDAP 2.4.11 (slapd) Debian default smbldap-tools (smbldap-populate is working and have populated LDAP without problems) if there is something I have forgotten please just ask for it, I'm still close to be desperate.! -- Med Venlig Hilsen / Best regards Henrik Dige Semark -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba smime.p7s Description: S/MIME Cryptographic Signature -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Samba PDC LDAP and LDAP Aliases
Hello all I've got a problem with unresolved (at least I guess that) LDAP Aliases and Samba. That's my LDAP Setup: ou=alvhaus,ou=ch { base } ou=People,ou=alvhaus,ou=ch { posix and samba accounts } ou=Group,ou=alvhaus,ou=ch { posix and samba groups } ou=Samba,ou=alvhaus,ou=ch { samba base dn } ou=Idmap,ou=Samba,ou=alvhaus,ou=ch ou=Machines,ou=Samba,ou=alvhaus,ou=ch ou=PeopleAlias,ou=Samba,ou=alvhaus,ou=ch { that's an alias to ou=People,ou=alvhaus,ou=ch } ou=GroupAlias,ou=Samba,ou=alvhaus,ou=ch { that's an alias to ou=Group,ou=alvhaus,ou=ch } ldapsearch -h MYHOST -D uid=Account Admin,ou=System Accounts,dc=alvhaus,dc=ch -W -b ou=Samba,dc=alvhaus,dc=ch -a search -s one The output of ldapsearch is right! The aliases are correctly resolved (controled by the -a search parameter) # People, alvhaus.ch dn: ou=People,dc=alvhaus,dc=ch objectClass: organizationalUnit ou: People # Group, alvhaus.ch dn: ou=Group,dc=alvhaus,dc=ch objectClass: organizationalUnit ou: Group # Idmap, Samba, alvhaus.ch dn: ou=Idmap,ou=Samba,dc=alvhaus,dc=ch objectClass: organizationalUnit ou: Idmap # Machines, Samba, alvhaus.ch dn: ou=Machines,ou=Samba,dc=alvhaus,dc=ch objectClass: organizationalUnit ou: Machines # FILESERV, Samba, alvhaus.ch dn: sambaDomainName=FILESERV,ou=Samba,dc=alvhaus,dc=ch sambaAlgorithmicRidBase: 1000 objectClass: sambaDomain ... more My smb.conf ldap admin dn = uid=Account Admin,ou=System Accounts,dc=alvhaus,dc=ch ldap group suffix = ou=Group ldap idmap suffix = ou=Idmap ldap machine suffix = ou=Machines ldap passwd sync = yes ldap suffix = ou=Samba,dc=alvhaus,dc=ch ldap ssl = no ldap user suffix = ou=People For me it looks right! And it's also working, if People and Group aren't aliased. So I guess samba pdc is not resolving aliases. Version 3.4.0 -Ivo Steinmann -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba PDC LDAP and LDAP Aliases
On 2009-12-10 at 14:40 +0100 Ivo Steinmann sent off: For me it looks right! And it's also working, if People and Group aren't aliased. So I guess samba pdc is not resolving aliases. іn the next samba release (not yet in 3.5 ...) you'll be able to tell samba whether and how to do alias dereferencing. But you should be able to tell the ldap library to do that by default, too - see ldap.conf(5). That would also make your -a option in ldapsearch obsolete. Cheers Björn -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Samba PDC, LDAP, IDMAP backend not working
Please help. I've been searching for days, trying nearly everything I can find that seems relevant, but I can't get this working. I am able to create users, login to Windows systems joined to the SAMBA domain as those users, but filesystem ACLs on Windows Domain Member Servers do not work which I suspect is due to my IDMAP OU is empty. wbinfo -u returns Error looking up domain users wbinfo -g returns: BUILTIN/administrators BUILTIN/users wbinfo -t returns checking the trust secret via RPC calls succeeded getent passwd -and- getent group list all my local and domain users and groups respectively. When running wbinfo -u my log.winbindd shows: [2008/12/26 12:24:52, 10] nsswitch/winbindd.c:process_request(314) process_request: request fn SID_TO_GID [2008/12/26 12:24:52, 3] nsswitch/winbindd_sid.c:winbindd_sid_to_gid(308) [23999]: sid to gid S-1-5-32-546 [2008/12/26 12:24:52, 10] nsswitch/winbindd_util.c:find_lookup_domain_from_sid(673) find_lookup_domain_from_sid(S-1-5-32-546) [2008/12/26 12:24:52, 10] nsswitch/winbindd_util.c:find_lookup_domain_from_sid(676) calling find_domain_from_sid [2008/12/26 12:24:52, 10] nsswitch/winbindd_cache.c:cache_retrieve_response(2300) Retrieving response for pid 23794 [2008/12/26 12:24:52, 5] nsswitch/winbindd_async.c:lookupsid_recv(706) lookupsid returned an error [2008/12/26 12:24:52, 5] nsswitch/winbindd_sid.c:sid2gid_lookupsid_recv(274) sid2gid_lookupsid_recv: Could not convert get sid type for S-1-5-32-546 [2008/12/26 12:24:52, 10] nsswitch/winbindd.c:process_request(314) process_request: request fn PING [2008/12/26 12:24:52, 3] nsswitch/winbindd_misc.c:winbindd_ping(470) [23999]: ping smbldap-tools seem to function correctly net commands seem to function correctly. Any idea where the problem might be? Thank you! Ubuntu 8.04 LTS Samba 3.0.28a OpenLDAP 2.4.9 smb.conf: [global] unix charset = LOCALE workgroup = VOICECURVE server string = %h server (Samba, Ubuntu) map to guest = Bad User passdb backend = ldapsam passwd program = /usr/sbin/smbldap-passwd %u passwd chat = *New*password* %n\n *Retype*new*password* %n\n *all*authentication*tokens*updated* log level = 3 passdb:5 auth:10 winbind:10 syslog = 0 log file = /var/log/samba/log.%m max log size = 1000 time server = Yes add user script = /usr/sbin/smbldap-useradd -m %u delete user script = /usr/sbin/smbldap-userdel %u add group script = /usr/sbin/smbldap-groupadd -p -a %g delete group script = /usr/sbin/smbldap-groupdel %g add user to group script = /usr/sbin/smbldap-groupmod -m %u %g delete user from group script = /usr/sbin/smbldap-groupmod -x %u %g set primary group script = /usr/sbin/smbldap-usermod -g %g %u add machine script = /usr/sbin/smbldap-useradd -w %u logon path = domain logons = Yes os level = 35 domain master = Yes dns proxy = No wins support = Yes ldap admin dn = cn=admin,dc=voicecurve,dc=com ldap delete dn = Yes ldap group suffix = ou=Groups ldap idmap suffix = ou=Idmap ldap machine suffix = ou=Computers ldap passwd sync = Yes ldap suffix = dc=voicecurve,dc=com ldap user suffix = ou=Users usershare allow guests = Yes panic action = /usr/share/samba/panic-action %d idmap domains = VOICECURVE idmap alloc backend = ldap winbind separator = / winbind enum users = Yes winbind enum groups = Yes idmap alloc config:range = 1 - 1000 idmap alloc config:ldap_url = ldap://localhost/ idmap alloc config:ldap_user_dn = cn=admin,dc=voicecurve,dc=com idmap alloc config:ldap_base_dn = ou=idmap,dc=voicecurve,dc=com idmap config VOICECURVE:range = 1 - 1000 idmap config VOICECURVE:ldap_url = ldap://localhost/ idmap config VOICECURVE:ldap_user_dn = cn=admin,dc=voicecurve,dc=com idmap config VOICECURVE:ldap_base_dn = ou=idmap,dc=voicecurve,dc=com idmap config VOICECURVE:backend = ldap idmap config VOICECURVE:default = yes ldapsam:editposix = yes ldapsam:trusted = yes nsswitch.conf: passwd: compat ldap group: compat ldap shadow: compat ldap hosts: files dns networks: files protocols: db files services: db files ethers: db files rpc:db files netgroup: nis -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
RE: [Samba] Samba PDC + LDAP: adding user to local admin group
hmmm giving users local admin rights, thats not the way to do it. and makes your network insecure.. Better control this through de domain groups. this is how i do it. i create a domain groep, add the users in it, and through loginscript i create a local group and add the domain group in it. now on directories/files or in registry i give the local group the needed rights. Louis -Oorspronkelijk bericht- Van: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Namens Gustavo Michels Verzonden: donderdag 9 oktober 2008 22:27 Aan: samba@lists.samba.org Onderwerp: [Samba] Samba PDC + LDAP: adding user to local admin group Hi all, I'm evaluating Zimbra [1] as the groupware server for my small company. It uses OpenLDAP for authentication services and I'm configuring a Samba server as a PDC for my company, using the same ldap backend. So far, so good, everything is working beautifully well, I can add computers to the domain, login from any workstation, access shares with the appropriate rights and so on. However there's one last thing I need: some normal domain users need administrative rights on their local machines. I know I can go into each workstation and add the user to local administrators group, however that's not the right way to do it. Can I have it set on the domain level, so that if the user login on any workstation, he will be granted the correct local admin rights on that workstation? Here's what I tried, user 'producao' (id=10003) and group 'Local Admins' (id=10005): # net groupmap list Vendas (S-1-5-21-594618841-1354246140-1601124177-21002) - Vendas Domain Admins (S-1-5-21-594618841-1354246140-1601124177-512) - Admins Produção (S-1-5-21-594618841-1354246140-1601124177-21006) - Producao Financeiro (S-1-5-21-594618841-1354246140-1601124177-21008) - Financeiro Local Admins (S-1-5-21-594618841-1354246140-1601124177-544) - Local Admins Here you can see that 'Local Admins' has the correct RID (544). # getent group |grep Admin Admins:*:10002: Local Admins:*:10005:10003 # getent passwd |grep producao producao:*:10003:10003:Produção Colortech:/colortech/homes/producao:/bin/false User 'producao' is a member of 'Local Admins' group (secondary, since I read that BUILTIN groups cannot be a primary group for a user in a windows NT4 domain). # /opt/zimbra/openldap/bin/ldapsearch -x -h servidor.colortech cn=Local Admins # extended LDIF # # LDAPv3 # base with scope subtree # filter: cn=Local Admins # requesting: ALL # # Local Admins, groups, colortechdp.com.br dn: cn=Local Admins,ou=groups,dc=colortechdp,dc=com,dc=br gidNumber: 10005 displayName: Local Admins sambaGroupType: 5 description: Local Admins cn: Local Admins sambaSID: S-1-5-21-594618841-1354246140-1601124177-544 memberUid: 10003 objectClass: posixGroup objectClass: sambaGroupMapping And the information on the LDAP server seems to be correct, including the sambaGroupType property set to 5, instead of 2. So, what is wrong in here? Or it isn't possible to do it in the domain level? Thanks Gustavo [1] http://www.zimbra.com -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Samba PDC + LDAP: adding user to local admin group
Hi all, On Thu, Oct 9, 2008 at 6:29 PM, Tim Bates [EMAIL PROTECTED] wrote: Not sure if you can do it like that, but if you only want to give them local admin on their own computer (and not everyone else's), you're going to want to do it on each computer manually anyway... Or via a script if you're going to have to change them often. If you set it at a domain level like you said, it would give them admin rights anywhere they can log into. Well actually it wouldn't be a big problem if the user has local admin rights on any machine. On Fri, Oct 10, 2008 at 4:17 AM, L.P.H. van Belle [EMAIL PROTECTED] wrote: hmmm giving users local admin rights, thats not the way to do it. and makes your network insecure.. Better control this through de domain groups. this is how i do it. i create a domain groep, add the users in it, and through loginscript i create a local group and add the domain group in it. now on directories/files or in registry i give the local group the needed rights. That's a nice approach, but what commands I have available to do such tasks as create/add groups on the local machine? I'm don't have deep technical knowledge on windows networking. Anyway, I thought this was a trivial task and it seems it is not. So, as there aren't many users with this special need, I'm starting to consider the manual way of adding the to the local admin group on their own machine. Thanks. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Samba PDC + LDAP: adding user to local admin group
On 10/9/2008, Tim Bates ([EMAIL PROTECTED]) wrote: If you set it at a domain level like you said, it would give them admin rights anywhere they can log into. But if you control which workstations they can log into, this isn't really a problem - save the part of them having local admin rights... ;) -- Best regards, Charles -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Samba PDC + LDAP: adding user to local admin group
Hi all, I'm evaluating Zimbra [1] as the groupware server for my small company. It uses OpenLDAP for authentication services and I'm configuring a Samba server as a PDC for my company, using the same ldap backend. So far, so good, everything is working beautifully well, I can add computers to the domain, login from any workstation, access shares with the appropriate rights and so on. However there's one last thing I need: some normal domain users need administrative rights on their local machines. I know I can go into each workstation and add the user to local administrators group, however that's not the right way to do it. Can I have it set on the domain level, so that if the user login on any workstation, he will be granted the correct local admin rights on that workstation? Here's what I tried, user 'producao' (id=10003) and group 'Local Admins' (id=10005): # net groupmap list Vendas (S-1-5-21-594618841-1354246140-1601124177-21002) - Vendas Domain Admins (S-1-5-21-594618841-1354246140-1601124177-512) - Admins Produção (S-1-5-21-594618841-1354246140-1601124177-21006) - Producao Financeiro (S-1-5-21-594618841-1354246140-1601124177-21008) - Financeiro Local Admins (S-1-5-21-594618841-1354246140-1601124177-544) - Local Admins Here you can see that 'Local Admins' has the correct RID (544). # getent group |grep Admin Admins:*:10002: Local Admins:*:10005:10003 # getent passwd |grep producao producao:*:10003:10003:Produção Colortech:/colortech/homes/producao:/bin/false User 'producao' is a member of 'Local Admins' group (secondary, since I read that BUILTIN groups cannot be a primary group for a user in a windows NT4 domain). # /opt/zimbra/openldap/bin/ldapsearch -x -h servidor.colortech cn=Local Admins # extended LDIF # # LDAPv3 # base with scope subtree # filter: cn=Local Admins # requesting: ALL # # Local Admins, groups, colortechdp.com.br dn: cn=Local Admins,ou=groups,dc=colortechdp,dc=com,dc=br gidNumber: 10005 displayName: Local Admins sambaGroupType: 5 description: Local Admins cn: Local Admins sambaSID: S-1-5-21-594618841-1354246140-1601124177-544 memberUid: 10003 objectClass: posixGroup objectClass: sambaGroupMapping And the information on the LDAP server seems to be correct, including the sambaGroupType property set to 5, instead of 2. So, what is wrong in here? Or it isn't possible to do it in the domain level? Thanks Gustavo [1] http://www.zimbra.com -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Samba PDC + LDAP: adding user to local admin group
Gustavo Michels wrote: So, what is wrong in here? Or it isn't possible to do it in the domain level? Not sure if you can do it like that, but if you only want to give them local admin on their own computer (and not everyone else's), you're going to want to do it on each computer manually anyway... Or via a script if you're going to have to change them often. If you set it at a domain level like you said, it would give them admin rights anywhere they can log into. TB -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] samba PDC, ldap and ntlm_auth
Hello I need to use to use ntlm_auth for samba users existing on the same machine.(samba PDC, Squid and Openldap in the same server) I read some mail in this list, particularly messages of Hesham S. Ahmed of Oct 7 2002 and I understand to do this I need join the PDC to itself but when I use net join I receive this message # /usr/bin/net join Unable to find a suitable server Unable to find a suitable server If I use # /usr/bin/net join -S BACKUP Password: Could not connect to server BACKUP Connection failed: NT_STATUS_CANT_ACCESS_DOMAIN_INFO I use samba with ldap database, this is a piece of the smb.conf file # This is the main Samba configuration file. You should read the # smb.conf(5) manual page in order to understand the options listed # here. Samba has a huge number of configurable options (perhaps too # many!) most of which are not shown in this example # # Any line which starts with a ; (semi-colon) or a # (hash) # is a comment and is ignored. In this example we will use a # # for commentry and a ; for parts of the config file that you # may wish to enable # # NOTE: Whenever you modify this file you should run the command testparm # to check that you have not made any basic syntactic errors. # #=== Global Settings = [global] workgroup = UNIVERSITA netbios name =BACKUP # server string is the equivalent of the NT Description field server string = Samba Server # This option is important for security. It allows you to restrict # connections to machines which are on your local network. The # following example restricts access to two C class networks and # the loopback interface. For more examples of the syntax see # the smb.conf man page hosts allow = 192.168.9. # if you want to automatically load your printer list rather # than setting them up individually then you'll need this # printcap name = /etc/printcap # #load printers = yes # It should not be necessary to spell out the print system type unless # yours is non-standard. Currently supported print systems include: # bsd, sysv, plp, lprng, aix, hpux, qnx ; printing = cups # This option tells cups that the data has already been rasterized # cups options = raw # Uncomment this if you want a guest account, you must add this to /etc/passwd # otherwise the user nobody is used ; guest account = pcguest # this tells Samba to use a separate log file for each machine # that connects log file = /var/log/samba/utenti.log ; log file = /var/log/samba/%m.log # all log information in one file # log file = /var/log/samba/smbd.log log level=3 # Put a capping on the size of the log files (in Kb). max log size = 50 # Security mode. Most people will want user level security. See # security_level.txt for details. # Use password server option only with security = server ; password server = NT-Server-Name # Password Level allows matching of _n_ characters of the password for # all combinations of upper and lower case. ; password level = 8 ; username level = 8 encrypt passwords=yes security = user mangling method = hash2 passdb backend = ldapsam:ldap://127.0.0.1/ ldap passwd sync = yes ldap admin dn= cn=Manager,dc=universita,dc=it ldap suffix = dc=universita,dc=it ldap group suffix = ou=Gruppi ldap user suffix= ou=Utenti ldap machine suffix= ou=Computers ldap idmap suffix= ou=Idmap ldap delete dn= yes idmap uid = 16777216-33554431 idmap gid = 16777216-33554431 add machine script =/usr/sbin/smbldap-useradd -t 0 -w %u add user script =/usr/sbin/smbldap-useradd -a -m %u delete user script =/usr/sbin/smbldap-userdel %u add group script =/usr/sbin/smbldap-groupadd -p %g delete group script =/usr/sbin/smbldap-groupdel %g add user to group script =/usr/sbin/smbldap-groupmod -m %u %g delete user from group script =/usr/sbin/smbldap-groupmod -x %u %g set primary group script=/usr/sbin/smbldap-usermod -g %g %u template shell = /bin/false # You may wish to use password encryption. Please read # ENCRYPTION.txt, Win95.txt and WinNT.txt in the Samba documentation. # Do not enable this option unless you have read those documents #smb passwd file = /etc/samba/smbpasswd # The following are needed to allow password changing from Windows to # update the Linux system password also. # NOTE: Use these with 'encrypt passwords' and 'smb passwd file' above. # NOTE2: You do NOT need these to allow workstations to change only #the encrypted SMB passwords. They allow the Unix password #to be kept in sync with the SMB password. ; unix password sync = Yes ; passwd program = /usr/bin/passwd %u ; passwd chat = *New*UNIX*password* %n\n *ReType*new*UNIX*password* %n\n *passwd:*all*authentication*tokens*updated*successfully* # Unix users can map to
[Samba] samba PDC, ldap and ntlm_auth
Hello I need to use to use ntlm_auth for samba users existing on the same server.(samba PDC, Squid and Openldap in the same server) I was read some mails in this list, particularly messages of Hesham S. Ahmed of Oct 7 2002 and I understand to do this I need join the PDC to itself but when I use net join I receive this message # /usr/bin/net join Unable to find a suitable server Unable to find a suitable server If I use # /usr/bin/net join -S BACKUP Password: Could not connect to server BACKUP Connection failed: NT_STATUS_CANT_ACCESS_DOMAIN_INFO I use samba with ldap database, this is a piece of the smb.conf file # This is the main Samba configuration file. You should read the # smb.conf(5) manual page in order to understand the options listed # here. Samba has a huge number of configurable options (perhaps too # many!) most of which are not shown in this example # # Any line which starts with a ; (semi-colon) or a # (hash) # is a comment and is ignored. In this example we will use a # # for commentry and a ; for parts of the config file that you # may wish to enable # # NOTE: Whenever you modify this file you should run the command testparm # to check that you have not made any basic syntactic errors. # #=== Global Settings = [global] workgroup = UNIVERSITA netbios name =BACKUP # server string is the equivalent of the NT Description field server string = Samba Server # This option is important for security. It allows you to restrict # connections to machines which are on your local network. The # following example restricts access to two C class networks and # the loopback interface. For more examples of the syntax see # the smb.conf man page hosts allow = 192.168.9. # if you want to automatically load your printer list rather # than setting them up individually then you'll need this # printcap name = /etc/printcap # #load printers = yes # It should not be necessary to spell out the print system type unless # yours is non-standard. Currently supported print systems include: # bsd, sysv, plp, lprng, aix, hpux, qnx ; printing = cups # This option tells cups that the data has already been rasterized # cups options = raw # Uncomment this if you want a guest account, you must add this to /etc/passwd # otherwise the user nobody is used ; guest account = pcguest # this tells Samba to use a separate log file for each machine # that connects log file = /var/log/samba/utenti.log ; log file = /var/log/samba/%m.log # all log information in one file # log file = /var/log/samba/smbd.log log level=3 # Put a capping on the size of the log files (in Kb). max log size = 50 # Security mode. Most people will want user level security. See # security_level.txt for details. # Use password server option only with security = server ; password server = NT-Server-Name # Password Level allows matching of _n_ characters of the password for # all combinations of upper and lower case. ; password level = 8 ; username level = 8 encrypt passwords=yes security = user mangling method = hash2 passdb backend = ldapsam:ldap://127.0.0.1/ ldap passwd sync = yes ldap admin dn= cn=Manager,dc=universita,dc=it ldap suffix = dc=universita,dc=it ldap group suffix = ou=Gruppi ldap user suffix= ou=Utenti ldap machine suffix= ou=Computers ldap idmap suffix= ou=Idmap ldap delete dn= yes idmap uid = 16777216-33554431 idmap gid = 16777216-33554431 add machine script =/usr/sbin/smbldap-useradd -t 0 -w %u add user script =/usr/sbin/smbldap-useradd -a -m %u delete user script =/usr/sbin/smbldap-userdel %u add group script =/usr/sbin/smbldap-groupadd -p %g delete group script =/usr/sbin/smbldap-groupdel %g add user to group script =/usr/sbin/smbldap-groupmod -m %u %g delete user from group script =/usr/sbin/smbldap-groupmod -x %u %g set primary group script=/usr/sbin/smbldap-usermod -g %g %u template shell = /bin/false # You may wish to use password encryption. Please read # ENCRYPTION.txt, Win95.txt and WinNT.txt in the Samba documentation. # Do not enable this option unless you have read those documents #smb passwd file = /etc/samba/smbpasswd # The following are needed to allow password changing from Windows to # update the Linux system password also. # NOTE: Use these with 'encrypt passwords' and 'smb passwd file' above. # NOTE2: You do NOT need these to allow workstations to change only #the encrypted SMB passwords. They allow the Unix password #to be kept in sync with the SMB password. ; unix password sync = Yes ; passwd program = /usr/bin/passwd %u ; passwd chat = *New*UNIX*password* %n\n *ReType*new*UNIX*password* %n\n *passwd:*all*authentication*tokens*updated*successfully* # Unix users can map to
[Samba] Re: Samba PDC Ldap integration
Thanks guys I fixed the problem, it was not actually a software problem. The switch the server was on was stuffed, It kept dropping out. Thanks for all your help On Jan 3, 2008 3:01 PM, Andy [EMAIL PROTECTED] wrote: Hello all I have set up a Debian etch server with a samba and ldap integration. domain master = yes domain logons = yes os level = 33 preferred master = yes local master = yes passdb backend = ldapsam:ldap://localhost/ ldap admin dn = cn=admin,dc=test,dc=net ldap suffix =dc=test,dc=net ldap user suffix = ou=users ldap machine suffix = ou=machines ldap group suffix = ou=groups ldap password sync = yes I have added the machine into LDAP as a samba 3 machine. I have added a user to the domain admins group. When I try to connect a PC to the domain a error message pops up saying the following error occurred attempting to join the domain test: The specific network name is no longer available Would some know the cause of this? -- REGARDS, Andy Z -- REGARDS, Andy Z -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Samba PDC Ldap integration
Greeting Andy, Your config seem to be ok, but change os level to 65. I suppose that you send only ldap parameters and not all the smb.conf parameters. First check your DNS resolution (from your server and client). But I'm sure that your need to add the following parameter in the smb.conf to resolv your problem: wins support = yes (yurk I don't like Wins) And on your windows client check your network configuration with the ipconfig /all command. You must see Wins Server define. Try this and give me some feelback. These parameters are not usefull in the present problem. netbios aliases = loghost, mailhost, backuphost, ldaphost logon drive = H: logon home = \\%h\%U logon path = \\%h\profiles\%U logon script = logon.bat ldap delete dn = Yes ldap ssl = off ldapsam:trusted = Yes ldap timeout = 15 utmp directory = /var/run wtmp directory = /var/log utmp = Yes Best regards, Robert Hello all I have set up a Debian etch server with a samba and ldap integration. domain master = yes domain logons = yes os level = 33 preferred master = yes local master = yes passdb backend = ldapsam:ldap://localhost/ ldap admin dn = cn=admin,dc=test,dc=net ldap suffix =dc=test,dc=net ldap user suffix = ou=users ldap machine suffix = ou=machines ldap group suffix = ou=groups ldap password sync = yes I have added the machine into LDAP as a samba 3 machine. I have added a user to the domain admins group. When I try to connect a PC to the domain a error message pops up saying the following error occurred attempting to join the domain test: The specific network name is no longer available Would some know the cause of this? -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Samba PDC Ldap integration
On Thu, 03 Jan 2008, Andy might have said: Hello all I have set up a Debian etch server with a samba and ldap integration. domain master = yes domain logons = yes os level = 33 preferred master = yes local master = yes passdb backend = ldapsam:ldap://localhost/ ldap admin dn = cn=admin,dc=test,dc=net ldap suffix =dc=test,dc=net ldap user suffix = ou=users ldap machine suffix = ou=machines ldap group suffix = ou=groups ldap password sync = yes I have added the machine into LDAP as a samba 3 machine. I have added a user to the domain admins group. When I try to connect a PC to the domain a error message pops up saying the following error occurred attempting to join the domain test: The specific network name is no longer available Would some know the cause of this? I don't have any data on a possible cause. My portions of the config for this are: workgroup = MYDOMAIN netbios name = smbhost netbios aliases = loghost, mailhost, backuphost, ldaphost server string = Samba Server (%h) logon drive = H: logon home = \\%h\%U logon path = \\%h\profiles\%U logon script = logon.bat ldap delete dn = Yes ldap suffix = dc=MYDOMAIN,dc=com ldap admin dn = cn=manager,dc=MYDOMAIN,dc=com ldap user suffix = ou=people ldap group suffix = ou=groups ldap machine suffix = ou=machines ldap ssl = off ldapsam:trusted = Yes ldap timeout = 15 utmp directory = /var/run wtmp directory = /var/log utmp = Yes encrypt passwords = Yes password level = 0 password server = ldaphost.MYDOMAIN.com passdb backend = ldapsam:ldap://ldaphost.MYDOMAIN.com ldap passwd sync = Yes unix password sync = No passwd program = /usr/sbin/smbldap-passwd %u #pam password change = Yes passwd chat = Changing * password*for*\nNew password* %n\n *Retype new password* %n\n passwd chat debug = Yes #client use spnego = No #use spnego = No os level = 66 preferred master = Yes local master = Yes domain master = Yes domain logons = Yes allow trusted domains = Yes -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Samba PDC Ldap integration
Hello all I have set up a Debian etch server with a samba and ldap integration. domain master = yes domain logons = yes os level = 33 preferred master = yes local master = yes passdb backend = ldapsam:ldap://localhost/ ldap admin dn = cn=admin,dc=test,dc=net ldap suffix =dc=test,dc=net ldap user suffix = ou=users ldap machine suffix = ou=machines ldap group suffix = ou=groups ldap password sync = yes I have added the machine into LDAP as a samba 3 machine. I have added a user to the domain admins group. When I try to connect a PC to the domain a error message pops up saying the following error occurred attempting to join the domain test: The specific network name is no longer available Would some know the cause of this? -- REGARDS, Andy Z -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] PDC Ldap adding computers to domain
I have a problem setting up samba using ldap as a domain server. When I try to configure a windows 2000 machine to join the domain I first get an authentication request where I enter root and roots password. The dialog disapears for a while (20-30 seconds) and then displays an error dialog with something like The user name could not be found (but in swedish). The computer name shows up in the ldap database after this. I'm using: Debian etch samba 3.0.24-6etch5 smbldap-tools 0.9.2-3 OpenLDAP (slapd) 2.3.30-5 I set the debugging to level 2 and get this for each attempt at configuring the computer in /var/log/samba/log.troll [2007/11/30 01:45:51, 0] lib/util_sock.c:write_data(562) write_data: write failure in writing to client 10.0.0.203. Error Connection reset by peer [2007/11/30 01:45:51, 0] lib/util_sock.c:send_smb(769) Error writing 4 bytes to client. -1. (Connection reset by peer) [2007/11/30 01:45:51, 2] lib/smbldap.c:smbldap_open_connection(788) smbldap_open_connection: connection opened [2007/11/30 01:45:51, 2] passdb/pdb_ldap.c:init_sam_from_ldap(541) init_sam_from_ldap: Entry found for user: root [2007/11/30 01:45:51, 2] passdb/pdb_ldap.c:init_group_from_ldap(2140) init_group_from_ldap: Entry found for group: 513 [2007/11/30 01:45:51, 2] auth/auth.c:check_ntlm_password(309) check_ntlm_password: authentication for user [root] - [root] - [root] succeeded [2007/11/30 01:45:51, 2] smbd/reply.c:reply_tcon_and_X(711) Serving IPC$ as a Dfs root [2007/11/30 01:45:52, 2] rpc_server/srv_samr_nt.c:_samr_lookup_domain(2797) Returning domain sid for domain CHAMPIS - S-1-5-21-3235403273-773503436-3870180080 my smb.conf [global] workgroup = CHAMPIS server string = %h server passdb backend = ldapsam:ldap://localhost:389 passwd program = /sbin/smbldap-passwd %u passwd chat = *New*password* %n\n *Retype*new*password %n\n *all*authentication*tokens*updated* log level = 2 syslog = 0 log file = /var/log/samba/log.%m max log size = 1000 name resolve order = lmhosts host wins bcast add user script = /usr/sbin/smbldap-useradd -m %u add group script = /usr/sbin/smbldap-groupadd -p %g add user to group script = /usr/sbin/smbldap-groupmod -m %u %g delete user from group script = /usr/sbin/smbldap-groupmod -x %u %g set primary group script = /usr/sbin/smbldap-usermod -g %g %u add machine script = /usr/sbin/smbldap-useradd -w %u logon path = \\%N\profiles\%U logon drive = H: domain logons = Yes os level = 42 preferred master = Yes domain master = Yes dns proxy = No wins support = Yes ldap admin dn = cn=admin,dc=proxxi,dc=org ldap delete dn = Yes ldap group suffix = ou=Groups ldap idmap suffix = ou=Users ldap machine suffix = ou=Computers ldap passwd sync = Yes ldap replication sleep = 5000 ldap suffix = dc=proxxi,dc=org ldap user suffix = ou=Users panic action = /usr/share/samba/panic-action %d [homes] comment = Home Directories valid users = %U create mask = 0700 directory mask = 0700 browseable = No [netlogon] comment = Network Logon Service path = /home/samba/netlogon guest ok = Yes share modes = No [profiles] comment = Users profiles path = /home/samba/profiles create mask = 0600 directory mask = 0700 browseable = No -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] samba pdc ldap vs mysql
Petre Bandac schrieb: hallo I have a task to reorganize the network resources of a medium company (~150 computers, 80% windows) which in the current state is very chaotic I was thinking of a system where the users are stored in a single place, from where applications like mail (postfix), squid and even a domain controller can retrieve information from your past experience, which does a better job - ldap or users stored in a mysql database ? I would appreciate your feedback or some links (I already have googled around and found several sources from where I am reading right now) I would like to have the same user/password for at least mail domain logon I would say MySQL is not an officially recommended way of storing Samba users. -- Tomasz Chmielewski http://blog.wpkg.org -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] samba pdc ldap vs mysql
hallo I have a task to reorganize the network resources of a medium company (~150 computers, 80% windows) which in the current state is very chaotic I was thinking of a system where the users are stored in a single place, from where applications like mail (postfix), squid and even a domain controller can retrieve information from your past experience, which does a better job - ldap or users stored in a mysql database ? I would appreciate your feedback or some links (I already have googled around and found several sources from where I am reading right now) I would like to have the same user/password for at least mail domain logon thank you for your time, petre -- Petre Bandac Network Scientist - [EMAIL PROTECTED] -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] samba pdc ldap vs mysql
I'm a ldap fan. LDAP could be used to centralize all kind of app and system you could need, even intranet accounts, samba, a replace for nis, postfix, qmail, and so on. On 9/15/07, Petre Bandac [EMAIL PROTECTED] wrote: hallo I have a task to reorganize the network resources of a medium company (~150 computers, 80% windows) which in the current state is very chaotic I was thinking of a system where the users are stored in a single place, from where applications like mail (postfix), squid and even a domain controller can retrieve information from your past experience, which does a better job - ldap or users stored in a mysql database ? I would appreciate your feedback or some links (I already have googled around and found several sources from where I am reading right now) I would like to have the same user/password for at least mail domain logon thank you for your time, petre -- Petre Bandac Network Scientist - [EMAIL PROTECTED] -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] samba pdc ldap vs mysql
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Petre Bandac wrote: hallo I have a task to reorganize the network resources of a medium company (~150 computers, 80% windows) which in the current state is very chaotic I was thinking of a system where the users are stored in a single place, from where applications like mail (postfix), squid and even a domain controller can retrieve information from your past experience, which does a better job - ldap or users stored in a mysql database ? I would appreciate your feedback or some links (I already have googled around and found several sources from where I am reading right now) I would like to have the same user/password for at least mail domain logon thank you for your time, petre At least as far as Samba goes, I could have sworn MySQL received less attention as a backend (possibly even having been removed). There are probably ways to sync MySQL with LDAP that are fairly painless, but this really seems like something that one would do with LDAP anyhow. - -- _ _ _ _ ___ _ _ _ |Y#| | | |\/| | \ |\ | | |Ryan Novosielski - Systems Programmer II |$| |__| | | |__/ | \| _| |[EMAIL PROTECTED] - 973/972.0922 (2-0922) \__/ Univ. of Med. and Dent.|IST/AST - NJMS Medical Science Bldg - C630 -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.6 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFG6/+zmb+gadEcsb4RAhDHAKCL7MQgjIIzzk1N+NLfARQvrFAU4QCfWbkb xemH/wkdJLTzITxi2CVTvK4= =KHS2 -END PGP SIGNATURE- -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] samba pdc ldap vs mysql
Hallo, mups.cp, Du (mups.cp) meintest am 15.09.07: I'm a ldap fan. LDAP could be used to centralize all kind of app and system you could need, even intranet accounts, samba, a replace for nis, postfix, qmail, and so on. Don't put all your eggs into one basket ... Viele Gruesse! Helmut -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] samba pdc ldap vs mysql
mups.cp wrote: I understand your point of view, but most of time people prefer have only an username and password instead one for each application and system they use. that is exactly what I want to do; so, using ldap, I can have the same user/pass for both domain and mailbox based on your experience, which would fit better with postfix/courier and samba ? thanks, petre There are other options, but I prefer LDAP for account management and centralization. Others will prefer MySQL. On 15 Sep 2007 17:42:00 +0200, Helmut Hullen [EMAIL PROTECTED] wrote: Hallo, mups.cp, Du (mups.cp) meintest am 15.09.07: I'm a ldap fan. LDAP could be used to centralize all kind of app and system you could need, even intranet accounts, samba, a replace for nis, postfix, qmail, and so on. Don't put all your eggs into one basket ... Viele Gruesse! Helmut -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba -- Petre Bandac Network Scientist - [EMAIL PROTECTED] -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] samba pdc ldap vs mysql
Since I know any good MTA supports LDAP. Choose one that better fits your needs and you are accustomed to. On 9/15/07, Petre Bandac [EMAIL PROTECTED] wrote: mups.cp wrote: I understand your point of view, but most of time people prefer have only an username and password instead one for each application and system they use. that is exactly what I want to do; so, using ldap, I can have the same user/pass for both domain and mailbox based on your experience, which would fit better with postfix/courier and samba ? thanks, petre There are other options, but I prefer LDAP for account management and centralization. Others will prefer MySQL. On 15 Sep 2007 17:42:00 +0200, Helmut Hullen [EMAIL PROTECTED] wrote: Hallo, mups.cp, Du (mups.cp) meintest am 15.09.07: I'm a ldap fan. LDAP could be used to centralize all kind of app and system you could need, even intranet accounts, samba, a replace for nis, postfix, qmail, and so on. Don't put all your eggs into one basket ... Viele Gruesse! Helmut -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba -- Petre Bandac Network Scientist - [EMAIL PROTECTED] -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] samba pdc ldap vs mysql
I understand your point of view, but most of time people prefer have only an username and password instead one for each application and system they use. that is exactly what I want to do; so, using ldap, I can have the same user/pass for both domain and mailbox based on your experience, which would fit better with postfix/courier and samba ? Using LDAP is standard for most applications and well supported; information on LDAP integration is plentiful; Postfix has supported LDAP for a long time and a standard SASL build supports LDAP. Using something like MySQL for auth/ident is hackish and very non-standard; you'd be creating a site specific solution. It is important to think about what happens if someone needs to come in and work in your environment. LDAP is common and well understood, people expect LDAP in anything but the smallest networks. There are other options, but I prefer LDAP for account management and centralization. Others will prefer MySQL. I'm a ldap fan. LDAP could be used to centralize all kind of app and system you could need, even intranet accounts, samba, a replace for nis, postfix, qmail, and so on. Don't put all your eggs into one basket ... Yes, do. One basket is EXACTLY what you want. We use LDAP for ident (NSS SAMBA) authentication (mainly via PAM, SASL, Samba), DHCP, DNS, mail routing, IM groups, user preferences, and lots of other things. It is a major labor savings to have ONE store for all this information that can all be managed by a very well supported and standard protocol (LDAP). Whether you want to use Perl, Python, C#, Java, PHP, etc... you can access your data - no mucking about with is-it-compiled-to-support... or drivers, etc... -- Adam Tauno Williams, Network Systems Administrator Consultant - http://www.whitemiceconsulting.com Developer - http://www.opengroupware.org -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Samba PDC LDAP HowTo 4 U
Chris Smart wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hi all, I've written a HowTo for 'Samba domain with LDAP back end' and am looking for people to test it and tell me the stupid things I did. I also wanted to put the HowTo out there in case others wanted to do something similar and because I know you've got nothing better to do on your weekend than play with Linux ;) I'm by no means a Samba expert so please let me know if you have any suggestions or improvements :) It's wikified online at : http://wiki.makethemove.net/index.php?title=LDAP-Samba; Am still reading it... :) However, I wanted to take a moment to mention the smbldap-installer at http://majen.net/smbldap/ It rocks! I am glad to see you covering some areas not covered in many howto's. Questions that may come up in setting up a pdc may be... Folder redirection using policy files, etc. How to copy existing profiles to the roaming profiles. Giving a user permission to join the domain. (so folks aren't running around with the root password) net rpc rights grant Domain Admins SeMachineAccountPrivilege and possibly these as well.. SeMachineAccountPrivilege \ SeTakeOwnershipPrivilege \ SeBackupPrivilege \ SeRestorePrivilege \ SeRemoteShutdownPrivilege \ SePrintOperatorPrivilege \ SeAddUsersPrivilege \ -- This message has been scanned for viruses and dangerous content by RCRnet, and is believed to be clean. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Samba PDC LDAP HowTo 4 U
Hi Chris! Although ubutu-ish, the how to seems to reunite plenty of information, specially an 'ldap primer'. I MUST ask you about the output of wbinfo -g and wbinfo -u. I just wonder if it is ever possible to get Samba as a PDC(without and windows AD as master) to report groups and users via wbinfo, thus making life with squid easier. I guess you'll need to run/setup winbindd for this task. Could you try it and report please? Thanks! Mauricio Chris Smart wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hi all, I've written a HowTo for 'Samba domain with LDAP back end' and am looking for people to test it and tell me the stupid things I did. I also wanted to put the HowTo out there in case others wanted to do something similar and because I know you've got nothing better to do on your weekend than play with Linux ;) I'm by no means a Samba expert so please let me know if you have any suggestions or improvements :) It's wikified online at : http://wiki.makethemove.net/index.php?title=LDAP-Samba; Cheers, Chris -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.6 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFGhZEUhZNk0P/rW0sRAh8BAJ95eeVcCxBYFFwzfWMdkbEjug54RwCfcjK9 ikf7ESxzLQw2NKriYXlSK9Q= =SvcM -END PGP SIGNATURE- -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Samba PDC LDAP HowTo 4 U
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hi all, I've written a HowTo for 'Samba domain with LDAP back end' and am looking for people to test it and tell me the stupid things I did. I also wanted to put the HowTo out there in case others wanted to do something similar and because I know you've got nothing better to do on your weekend than play with Linux ;) I'm by no means a Samba expert so please let me know if you have any suggestions or improvements :) It's wikified online at : http://wiki.makethemove.net/index.php?title=LDAP-Samba; Cheers, Chris -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.6 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFGhZEUhZNk0P/rW0sRAh8BAJ95eeVcCxBYFFwzfWMdkbEjug54RwCfcjK9 ikf7ESxzLQw2NKriYXlSK9Q= =SvcM -END PGP SIGNATURE- -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Re: [clug] Samba PDC LDAP HowTo 4 U
Chris Smart wrote: I've written a HowTo for 'Samba domain with LDAP back end' and am looking for people to test it and tell me the stupid things I did. Thanks for posting the URL. I just did a presentation which I do not cover LDAP back ends in, and I had a question about just such a configuration, so I will pass this along to him. For reference, my presentation can be found at this URL. Samba 3 PDC for Windows Clients and Samba 3 Book Review http://www.lueckdatasystems.com/pub/presentations/iccm2007.pdf http://www.lueckdatasystems.com/pub/presentations/iccm2007.zip I did not get all of the dust knocked out before the presentation... but after I think two years since I had last given the presentation I definitely got my work out getting the presentation polished up as much as I did. (Scripts and config files are in the zip file.) -- Michael Lueck Lueck Data Systems http://www.lueckdatasystems.com/ -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] urgent: winbind doesn't see groups from samba pdc+ldap
Hallo! after migrating the pdc from nt to samba+ldap my member fileserver doesn't see the groups anymore. I set it up with nss as shown in: http://samba.org/samba/docs/man/Samba-Guide/unixclients.html#ch9-sdmnss getent passwd + group show all user and groups correctly wbinfo -u shows all users correctly, but wbinfo -g show only 2 builtin accounts. I tried without nss only with winbind before in the hope I had not to reset all permissions but it was exacty the same. Machine is debian/etch samba 3.0.24 Please let me know if I should send more infos. I'm very greateful for any hints. thanks angela here my smb.conf [global] # Server Definition server string = %h (%v) domain logons = no domain master = no local master = no preferred master = no timeserver = no # Domaenen Zugehoerigkeit workgroup = AAG security = domain password server = 192.168.100.72 # Namensaufloesung name resolve order = host wins bcast # Erlaubte Authentifizierungsprotokolle map archive = yes map hidden = no map readonly = yes map system = no map to guest = never delete readonly = yes preserve case = yes # Nach 15 Min. Inaktivität trennenlog file = /var/log/samba/%m.log log level = 10 syslog = 1 panic action = /usr/share/samba/panic-action %d # Wann werden DAten auf die Platten geschrieben? strict sync = yes sync always = yes use sendfile = yes # Auf mdbs keine Oplocks setzen veto oplock files = /*.mdb/ # OpenOffice hat Problem beim Speichern, es liegt aber nicht an den Oplocks! oplocks = yes level2 oplocks = yes # Winbind - fÃr Authentifizierung Ãber einen anderen Server #winbind cache time = 300 #winbind enum groups = yes #winbind enum users = yes #winbind uid = 1-2 #winbind gid = 1-2 ldap admin dn = cn=admin,dc=aag ldap suffix = dc=aag ldap group suffix = ou=groups ldap user suffix = ou=users ldap machine suffix = ou=computers ldap idmap suffix = ou=idmap idmap backend = ldap:ldap://erde.aag idmap uid = 1-2 idmap gid = 1-2 winbind trusted domains only = yes deadtime = 15 keepalive = 0 ... shares /etc/ldap/ldap.conf BASEdc=aag URI ldap://erde.aag:389 ldap://mond.aag:389 nss_base_passwd ou=users,dc=aag?one nss_base_passwd ou=computers,dc=aag?one nss_base_shadow ou=users,dc=aag?one nss_base_group ou=groups,dc=aag?one TLS_CACERT /etc/ldap/certs/cacert.pem TLS_CERT/etc/ldap/certs/memberserver_cert.pem TLS_KEY /etc/ldap/certs/memberserver_key.pem TLS_CHECKPEER yes SSL start_tls TLS_REQCERT allow It make no difference if I activate TLS or not. ** /etc/nsswitch.conf ** passwd: files ldap winbind group: files ldap winbind shadow: files ldap winbind hosts: files dns networks: files protocols: db files services: db files ethers: db files rpc:db files netgroup: nis -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Samba-PDC+LDAP Domain logon problem
Hello! I have Samba with LDAP password backend. -Logging to shell works with ldap accounts -Logging to smb-share works with ldap accounts -Adding computers to domain with (shown in conf. file) and without (manually) works But here's my problem: -Logging to domain with username passwd doesn't work When using smbpasswd -file as backend it works After 3 days of googling I'm quite bored to find help anywhere else. Can anyone help me with this problem..? Thanks, Aki OS details and conf files: I'm running: Debian lenny with 2.6.18-4 Samba 3.0.24 OpenLDAP 2.3.30 ---smb.conf:-- [global] workgroup = passdb backend = ldapsam:ldap://127.0.0.1 log level = 1 max xmit = 65535 time server = Yes deadtime = 15 socket options = TCP_NODELAY IPTOS_LOWDELAY add machine script = /usr/local/smbldaptools/smbldap-useradd.pl -w %m logon script = logon.bat logon path = \\%N\profiles\%u logon drive = H: domain logons = Yes os level = 65 preferred master = Yes domain master = Yes wins proxy = Yes wins support = Yes ldap admin dn = cn=admin,dc= ldap group suffix = ou=groups ldap machine suffix = ou=machines ldap suffix = dc= ldap user suffix = ou=users dos filetime resolution = Yes [homes] read only = No [netlogon] path = /home/netlogon browseable = No [profiles] path = /home/profiles read only = No create mask = 0600 directory mask = 0700 browseable = No -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Fwd: [Samba] Samba-PDC+LDAP Domain logon problem
-- Forwarded message -- From: John Drescher [EMAIL PROTECTED] Date: May 14, 2007 10:33 AM Subject: Re: [Samba] Samba-PDC+LDAP Domain logon problem To: Aki Vuorinen [EMAIL PROTECTED] On 5/14/07, Aki Vuorinen [EMAIL PROTECTED] wrote: Hello! I have Samba with LDAP password backend. -Logging to shell works with ldap accounts -Logging to smb-share works with ldap accounts -Adding computers to domain with (shown in conf. file) and without (manually) works But here's my problem: -Logging to domain with username passwd doesn't work When using smbpasswd -file as backend it works After 3 days of googling I'm quite bored to find help anywhere else. Can anyone help me with this problem..? Thanks, Aki OS details and conf files: I'm running: Debian lenny with 2.6.18-4 Samba 3.0.24 OpenLDAP 2.3.30 ---smb.conf:-- [global] workgroup = passdb backend = ldapsam:ldap://127.0.0.1 log level = 1 max xmit = 65535 time server = Yes deadtime = 15 socket options = TCP_NODELAY IPTOS_LOWDELAY add machine script = /usr/local/smbldaptools/smbldap-useradd.pl -w %m logon script = logon.bat logon path = \\%N\profiles\%u logon drive = H: domain logons = Yes os level = 65 preferred master = Yes domain master = Yes wins proxy = Yes wins support = Yes ldap admin dn = cn=admin,dc= ldap group suffix = ou=groups ldap machine suffix = ou=machines ldap suffix = dc= ldap user suffix = ou=users dos filetime resolution = Yes [homes] read only = No [netlogon] path = /home/netlogon browseable = No [profiles] path = /home/profiles read only = No create mask = 0600 directory mask = 0700 browseable = No You seem to be missing IDEALX entries: add user script = /opt/IDEALX/sbin/smbldap-useradd -m %u add machine script = /opt/IDEALX/sbin/smbldap-useradd -w %u add group script = /opt/IDEALX/sbin/smbldap-groupadd -p %g add user to group script = /opt/IDEALX/sbin/smbldap-groupmod -m %u %g delete user from group script = /opt/IDEALX/sbin/smbldap-groupmod -x %u %g set primary group script = /opt/IDEALX/sbin/smbldap-usermod -g %g %u passwd program = /opt/IDEALX/sbin/smbldap-passwd -p %n %u John -- John M. Drescher -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] PDC LDAP Idmap problem
Hello, I have a PDC running on SLES 10 which is using an ldap password backend and is suppose to be using ldap Idmap as well. My problem seems to be that my PDC is not writing any entries to the ldap idmap. Everything works just fine on the PDC, shares and what not, but I can not get a Samba domain member server to share anything properly. I get permissions errors and other problems like that. For example on the members server, it uses ldap for authentication so that ldap users can login to that machine (mostly just me) and this also helps because it is aware of all the usernames and group names, which simplifies permissions I think. The problem is shares on this server do not function correctly. When looking from windows the shares do not seem to belong to the correct group (for example one set to it on the server ends up as administration on the windows security page) and even if I am a member of all the groups I get a permission denied when I try to create new folders. The reason I think it is an idmap problem is because no entries are created in the idmap section in ldap by the pdc and because of the miss used groups I described above. One other thing is, the Domain Member server seems to write two entries to the idmap in ldap if it does not exist already. I am really at a loss as to how to proceed with this setup to correct my problem. If someone on here has any suggestions and can explain how I should go about it then please I would greatly appreciate it. Also I have not copied any config files here to avoid flooding, but if anyone would like to see any config file please just ask me and I will provide them. Thank you again, Brent -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] samba pdc+ldap authentificating users in another ldap without samba
Hi everybody, we have a Samba PDC Server with LDAP working quite well, with no relevant problems (OpenLdap with Samba 3 in a RHEL 4 server). Now we want to integrate users with another OpenLdap server which has personal info only and which is used to validate users in other kind of services in the campus; the idea is that users validate with the info in this external server (user and password) but being able to use our samba LDAP info in our local server. That is, is it possible to validate users in one server but to use samba info of another? Thanks in advance. -- Frank UPC - Terrassa Barcelona - Spain -- Aquest missatge ha estat analitzat per MailScanner http://www.mailscanner.info/ i es considera net de virus i altres continguts perillosos. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] configure SAMBA(PDC)+LDAP for win XP clients
There are plenty of good on-line resources on how to do this. Google the following: Samba 3 by Example, The Official Samba How To and The Linux Samba-OpenLDAP Howto (from IdealX). These will get you started. Then you can use the board for more specific questions. *Jason Baker */IT Coordinator/ *Glastender Inc.* 5400 North Michigan Road Saginaw, Michigan 48604 USA 800.748.0423 Phone: 989.752.4275 ext. 228 Fax: 989.752. www.glastender.com http://www.glastender.com On 2/2/2007 12:51 AM, suresh bollu wrote: Hi all, i want to setup SAMBA(PDC) with LDAP for my work place, server is on FC5, and clients are Win XP, when user login to samba it will save the profile of the user and retrive back when he login again. please help me to setup the above, Regards, Suresh Bollu -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] configure SAMBA(PDC)+LDAP for win XP clients
Hi all, i want to setup SAMBA(PDC) with LDAP for my work place, server is on FC5, and clients are Win XP, when user login to samba it will save the profile of the user and retrive back when he login again. please help me to setup the above, Regards, Suresh Bollu -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
RE: [Samba] Netlogon, roming profiles in samba(PDC)-ldap
Suresh, A little cheat however being that most of my notes are from this section, if you goto http://wiki.samba.org/index.php/Samba_%26_Windows_Profiles This helps you with creating essentially a roaming profile. Some other usefull goodies in there as well. Thanks Dave -Original Message- From: SURESH BOLLU [mailto:[EMAIL PROTECTED] Sent: 31 January 2007 04:59 To: Ellison, David Subject: RE: [Samba] Netlogon, roming profiles in samba(PDC)-ldap thanks for the help, and i am waiting for ur reply, Regards, Suresh Bollu --- Ellison, David [EMAIL PROTECTED] wrote: There is a way to do this, I'll have a dig. There is some documentation some on that, quite usefull. Give me an hour or so and I will have a look. Cheers Dave -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] ba.org] On Behalf Of suresh bollu Sent: 30 January 2007 13:57 To: samba@lists.samba.org Subject: [Samba] Netlogon, roming profiles in samba(PDC)-ldap for my organaization i configured a Samba PDC, Samba-LDAP, with the following configuration my server is running fedora core 5, all my clients are windows XP, my problem is when i login to the domain through windows xp client each time the profile is refreshing, i want to save the profile in server and retrive it when i login again. please healp me out to get out of this problem, Regards, Suresh Bollu *smb.conf* [global] workgroup = QVANTELIN netbios name = box1 interfaces = eth1, lo username map = /etc/samba/smbusers server string = Samba Server %v security = user encrypt passwords = Yes obey pam restrictions = No unix password sync = Yes passwd program = /usr/sbin/smbldap-passwd -u %u passwd chat = Changing password for *\nNew password* %n\n *Retype new password* %n\n ldap password sync = Yes log level = 0 syslog = 0 log file = /var/log/samba/log.%m max log size = 10 time server = Yes socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 mangling method = hash2 Dos charset = 850 Unix charset = ISO8859-1 logon script = startup.bat #logon drive = F: logon home = logon path = domain logons = Yes os level = 65 preferred master = Yes domain master = Yes wins support = Yes passdb backend = ldapsam:ldap://192.168.1.10 ldap admin dn= cn=Manager,dc=qvantelin,dc=com ldap suffix = dc=qvantelin,dc=com ldap group suffix = ou=Group ldap user suffix = ou=People ldap machine suffix = ou=machines ldap idmap suffix = ou=Users #ldap ssl = start tls add user script = /usr/sbin/smbldap-useradd -m %u ldap delete dn = Yes #delete user script = /usr/sbin/smbldap-userdel %u add machine script = /usr/sbin/smbldap-useradd -w %u add group script = /usr/sbin/smbldap-groupadd -p %g #delete group script = /usr/sbin/smbldap-groupdel %g add user to group script = /usr/sbin/smbldap-groupmod -m %u %g delete user from group script = /usr/sbin/smbldap-groupmod -x %u %g set primary group script = /usr/sbin/smbldap-usermod -g %g %u [homes] comment = Home Directories valid users = %S writable = yes create mask = 0664 directory mask = 0775 browseable = yes [netlogon] comment = Network Logon Service path = /home/samba/netlogon guest ok = Yes [profiles] path = /home/samba/profiles writable = yes writable = yes Browseable = yes create mode = 0644 directory mode = 0755 [printers] comment = All Printers path = /var/spool/samba printable = Yes browseable = No === message truncated === __ __ Need Mail bonding? Go to the Yahoo! Mail QA for great tips from Yahoo! Answers users. http://answers.yahoo.com/dir/?link=listsid=396546091 This message has been scanned for viruses by MailControl - (see http://bluepages.wsatkins.co.uk/?4318150) This email and any attached files are confidential and copyright protected. If you are not the addressee, any dissemination of this communication is strictly prohibited. Unless otherwise expressly agreed in writing, nothing stated in this communication shall be legally binding. Consider the environment. Please don't print this e-mail unless you really need to. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Netlogon, roming profiles in samba(PDC)-ldap
for my organaization i configured a Samba PDC, Samba-LDAP, with the following configuration my server is running fedora core 5, all my clients are windows XP, my problem is when i login to the domain through windows xp client each time the profile is refreshing, i want to save the profile in server and retrive it when i login again. please healp me out to get out of this problem, Regards, Suresh Bollu *smb.conf* [global] workgroup = QVANTELIN netbios name = box1 interfaces = eth1, lo username map = /etc/samba/smbusers server string = Samba Server %v security = user encrypt passwords = Yes obey pam restrictions = No unix password sync = Yes passwd program = /usr/sbin/smbldap-passwd -u %u passwd chat = Changing password for *\nNew password* %n\n *Retype new password* %n\n ldap password sync = Yes log level = 0 syslog = 0 log file = /var/log/samba/log.%m max log size = 10 time server = Yes socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 mangling method = hash2 Dos charset = 850 Unix charset = ISO8859-1 logon script = startup.bat #logon drive = F: logon home = logon path = domain logons = Yes os level = 65 preferred master = Yes domain master = Yes wins support = Yes passdb backend = ldapsam:ldap://192.168.1.10 ldap admin dn= cn=Manager,dc=qvantelin,dc=com ldap suffix = dc=qvantelin,dc=com ldap group suffix = ou=Group ldap user suffix = ou=People ldap machine suffix = ou=machines ldap idmap suffix = ou=Users #ldap ssl = start tls add user script = /usr/sbin/smbldap-useradd -m %u ldap delete dn = Yes #delete user script = /usr/sbin/smbldap-userdel %u add machine script = /usr/sbin/smbldap-useradd -w %u add group script = /usr/sbin/smbldap-groupadd -p %g #delete group script = /usr/sbin/smbldap-groupdel %g add user to group script = /usr/sbin/smbldap-groupmod -m %u %g delete user from group script = /usr/sbin/smbldap-groupmod -x %u %g set primary group script = /usr/sbin/smbldap-usermod -g %g %u [homes] comment = Home Directories valid users = %S writable = yes create mask = 0664 directory mask = 0775 browseable = yes [netlogon] comment = Network Logon Service path = /home/samba/netlogon guest ok = Yes [profiles] path = /home/samba/profiles writable = yes writable = yes Browseable = yes create mode = 0644 directory mode = 0755 [printers] comment = All Printers path = /var/spool/samba printable = Yes browseable = No *smbldap.conf* # $Source: /opt/cvs/samba/smbldap-tools/smbldap.conf,v $ # $Id: smbldap.conf,v 1.18 2005/05/27 14:28:47 jtournier Exp $ # # smbldap-tools.conf : Q D configuration file for smbldap-tools # This code was developped by IDEALX (http://IDEALX.org/) and # contributors (their names can be found in the CONTRIBUTORS file). # # Copyright (C) 2001-2002 IDEALX # # This program is free software; you can redistribute it and/or # modify it under the terms of the GNU General Public License # as published by the Free Software Foundation; either version 2 # of the License, or (at your option) any later version. # # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with this program; if not, write to the Free Software # Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, # USA. # Purpose : # . be the configuration file for all smbldap-tools scripts ## # # General Configuration # ## #UID and GID starting at... UID_START=1000 GID_START=1000 # Put your own SID. To obtain this number do: net getlocalsid. # If not defined, parameter is taking from net getlocalsid return SID=S-1-5-21-2118587481-1440970363-3314129951 # Domain name the Samba server is in charged. # If not defined, parameter is taking from smb.conf configuration file # Ex: sambaDomain=IDEALX-NT #sambaDomain=QVANTELIN ## # # LDAP Configuration # ## # Notes: to use to dual ldap servers backend for Samba, you must patch # Samba with the dual-head patch from IDEALX. If not using this patch # just use the same server for slaveLDAP and masterLDAP. # Those two servers declarations can also be used when you have # . one master LDAP server where all writing operations must be done # . one slave LDAP server where all reading operations must be done # (typically a replication directory) # Slave LDAP server # Ex: slaveLDAP=127.0.0.1 # If not defined, parameter is set to 127.0.0.1 slaveLDAP=192.168.1.10 # Slave LDAP port # If
RE: [Samba] Netlogon, roming profiles in samba(PDC)-ldap
There is a way to do this, I'll have a dig. There is some documentation some on that, quite usefull. Give me an hour or so and I will have a look. Cheers Dave -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] ba.org] On Behalf Of suresh bollu Sent: 30 January 2007 13:57 To: samba@lists.samba.org Subject: [Samba] Netlogon, roming profiles in samba(PDC)-ldap for my organaization i configured a Samba PDC, Samba-LDAP, with the following configuration my server is running fedora core 5, all my clients are windows XP, my problem is when i login to the domain through windows xp client each time the profile is refreshing, i want to save the profile in server and retrive it when i login again. please healp me out to get out of this problem, Regards, Suresh Bollu *smb.conf* [global] workgroup = QVANTELIN netbios name = box1 interfaces = eth1, lo username map = /etc/samba/smbusers server string = Samba Server %v security = user encrypt passwords = Yes obey pam restrictions = No unix password sync = Yes passwd program = /usr/sbin/smbldap-passwd -u %u passwd chat = Changing password for *\nNew password* %n\n *Retype new password* %n\n ldap password sync = Yes log level = 0 syslog = 0 log file = /var/log/samba/log.%m max log size = 10 time server = Yes socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 mangling method = hash2 Dos charset = 850 Unix charset = ISO8859-1 logon script = startup.bat #logon drive = F: logon home = logon path = domain logons = Yes os level = 65 preferred master = Yes domain master = Yes wins support = Yes passdb backend = ldapsam:ldap://192.168.1.10 ldap admin dn= cn=Manager,dc=qvantelin,dc=com ldap suffix = dc=qvantelin,dc=com ldap group suffix = ou=Group ldap user suffix = ou=People ldap machine suffix = ou=machines ldap idmap suffix = ou=Users #ldap ssl = start tls add user script = /usr/sbin/smbldap-useradd -m %u ldap delete dn = Yes #delete user script = /usr/sbin/smbldap-userdel %u add machine script = /usr/sbin/smbldap-useradd -w %u add group script = /usr/sbin/smbldap-groupadd -p %g #delete group script = /usr/sbin/smbldap-groupdel %g add user to group script = /usr/sbin/smbldap-groupmod -m %u %g delete user from group script = /usr/sbin/smbldap-groupmod -x %u %g set primary group script = /usr/sbin/smbldap-usermod -g %g %u [homes] comment = Home Directories valid users = %S writable = yes create mask = 0664 directory mask = 0775 browseable = yes [netlogon] comment = Network Logon Service path = /home/samba/netlogon guest ok = Yes [profiles] path = /home/samba/profiles writable = yes writable = yes Browseable = yes create mode = 0644 directory mode = 0755 [printers] comment = All Printers path = /var/spool/samba printable = Yes browseable = No *smbldap.conf* # $Source: /opt/cvs/samba/smbldap-tools/smbldap.conf,v $ # $Id: smbldap.conf,v 1.18 2005/05/27 14:28:47 jtournier Exp $ # # smbldap-tools.conf : Q D configuration file for smbldap-tools # This code was developped by IDEALX (http://IDEALX.org/) and # contributors (their names can be found in the CONTRIBUTORS file). # # Copyright (C) 2001-2002 IDEALX # # This program is free software; you can redistribute it and/or # modify it under the terms of the GNU General Public License # as published by the Free Software Foundation; either version 2 # of the License, or (at your option) any later version. # # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with this program; if not, write to the Free Software # Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, # USA. # Purpose : # . be the configuration file for all smbldap-tools scripts ## # # General Configuration # ## #UID and GID starting at... UID_START=1000 GID_START=1000 # Put your own SID. To obtain this number do: net getlocalsid. # If not defined, parameter is taking from net getlocalsid return SID=S-1-5-21-2118587481-1440970363-3314129951 # Domain name the Samba server is in charged. # If not defined, parameter is taking from smb.conf configuration file # Ex: sambaDomain=IDEALX-NT #sambaDomain=QVANTELIN ## # # LDAP Configuration
[Samba] Problem with Samba PDC LDAP backend and groups
I have configured a SambaPDC with a OpenLDAP backend. I recently upgraded Samba from 3.0.10-1.4E.9, to 3.0.23c and have run into a problem with groups. Specifically, the machines I have joined to the domain, are not able to retrieve group information. Please note that net rpc user works as expected on both smbd versions.0 Version Information: OpenLDAP 2.3.27 Samba version 3.0.10-1.4E.9 OS: CentOS release 4.4 I join the domain from a FreeBSD box, and then run a net rpc groups, it is able to pull group information, and display. I then switch to the new binaries. Restart slapd and smbd. I run a net rpc group and no information is returned. Again net rpc user works as expected. I also make sure to flush the system and add users so that it is not just retrieving cached information. Please also note this is a test Samba PDC, and is meant to be a proof of concept / testing machine. Thanks Alex Below is my smb.conf file: [global] workgroup = ESCPDC netbios name = ESC-17 server string = SambaPDC printcap name = /etc/printcap load printers = yes log level = 10 log file = /var/log/samba/%m.log max log size = 50 security = user #include = /etc/samba/smb.conf.%m socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 local master = yes os level = 65 domain master = yes preferred master = yes domain logons = yes logon script = %U.bat logon path = \\%L\profiles\%U logon drive = Z: #hlogon path = name resolve order = wins lmhosts host bcast wins support = yes dns proxy = no passdb backend = ldapsam:ldap://localhost ldap suffix = dc=escldap,dc=com ldap suffix = dc=escldap,dc=com ldap admin dn = cn=root,dc=escldap,dc=com ldap user suffix = ou=People ldap group suffix = ou=Groups ldap machine suffix = ou=Computers ldap idmap suffix = ou=People ldap passwd sync = yes admin users = root Administrator null passwords = yes add user script = /usr/local/sbin/smbldap-useradd.pl -m %u add machine script = /usr/local/sbin/smbldap-useradd -w %u idmap uid = 10-20 idmap gid = 10-20 template shell = /bin/false winbind use default domain = no time server = yes [homes] comment = Home Directories browseable = no writable = yes [printers] comment = All Printers path = /var/spool/samba browseable = no guest ok = no writable = no printable = yes -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Problem with Samba PDC LDAP backend and groups
On Thu, Oct 12, 2006 at 01:04:51PM -0700, Alex Long wrote: I join the domain from a FreeBSD box, and then run a net rpc groups, it is able to pull group information, and display. I then switch to the new binaries. Restart slapd and smbd. I run a net rpc group and no information is returned. Again net rpc user works as expected. I also make sure to flush the system and add users so that it is not just retrieving cached information. Do you have group mappings for all the groups? Volker -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] samba pdc ldap without roaming profiles
Hi list At the momtent I use samba as a pdc with tdbsam as passwd backend. I plan to use ldap and I already tried it out. Unfortunately I didn't find a way to disable roaming profiles. I used the smbldap tools. First there is the question if I should use add user script = /usr/sbin/smbldap-useradd -m %u with the -a (is a Windows User) option. If I don't, then windows account specific information like last passwd change isn't stored in the ldap backend.. Where are they stored then ? Second, the main problem is that I can't remove entries like Home Directory HomeDir Drive Logon Script Profile Path from the users. Neither by using srvtools nor ldap directly nor pdbedit. Therefore I am forced to use all my accs as roaming profiles which I don't really want. I would appreciate any hints for solving this problem. Thank you, Alex Kretschmer -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Re: samba pdc ldap without roaming profiles
to disable roaming profile for everybody, i'd use this un smb.conf: logon drive = logon home = yes, it's blank ;) -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Re: samba pdc ldap without roaming profiles
Theres a difference between whats in the smb.conf and whats stored with the user entries in the ldap backend. Thanks anyway. bob_bipbip schrieb: to disable roaming profile for everybody, i'd use this un smb.conf: logon drive = logon home = yes, it's blank ;) -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] samba pdc ldap without roaming profiles
Greating Alexander, And you can disable roaming profile on Microsoft professional client (I don't have try local profile with 9x clients). Open /MMC /and add the snap-in /Group Policy/. Browse in /Local Computer Policy/ / /Computer Configuration/ / Administrative Template / /System // /Login and change //Only allow local user profiles/ value. For Windows 2000, you need SP3 and more install. And run /secedit /refreshpolicy machine_policy (W2K) or //gpupdate (XP)./ Robert Hi list At the momtent I use samba as a pdc with tdbsam as passwd backend. I plan to use ldap and I already tried it out. Unfortunately I didn't find a way to disable roaming profiles. I used the smbldap tools. First there is the question if I should use add user script = /usr/sbin/smbldap-useradd -m %u with the -a (is a Windows User) option. If I don't, then windows account specific information like last passwd change isn't stored in the ldap backend.. Where are they stored then ? Second, the main problem is that I can't remove entries like Home Directory HomeDir Drive Logon Script Profile Path from the users. Neither by using srvtools nor ldap directly nor pdbedit. Therefore I am forced to use all my accs as roaming profiles which I don't really want. I would appreciate any hints for solving this problem. Thank you, Alex Kretschmer -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Samba PDC LDAP: Got too many (2) info entries for domain
Hello there. I'm currently configuring a Samba PDC LDAP Master Server and two Samba BDC LDAP Slave Servers with slurpd replication service over Debian 3.1 Sarge and Samba 3.0.22. I'm trying to fix a problem related with the info domain entry. When I execute the net getlocalsid [Domain] in the PDC server, I receive the following response: # net getlocalsid [domain] [2006/04/16 03:26:51, 0] lib/smbldap_util.c:smbldap_search_domain_info(276) Got too many (2) domain info entries for domain [domain] SID for domain [DOMAIN] is: S-1-5-21-xxx-xxx-x In addition, when I execute, for example, pdbedit -L, I receive the following output: # pdbedit -L Searching for:[((objectClass=sambaDomain)(sambaDomainName=[DOMAIN]))] smbldap_open_connection: connection opened ldap_connect_system: succesful connection to the LDAP server Got too many (2) domain info entries for domain [DOMAIN] pdb_init_ldapsam: WARNING: Could not get domain info, nor add one to the domain pdb_init_ldapsam: Continuing on regardless, will be unable to allocate new users/groups, and will risk BDCs having inconsistant SIDs Searching for:[((objectClass=sambaDomain)(sambaDomainName=[DOMAIN]))] smbldap_open_connection: connection opened ldap_connect_system: succesful connection to the LDAP server Got too many (2) domain info entries for domain [DOMAIN] pdb_init_ldapsam: WARNING: Could not get domain info, nor add one to the domain pdb_init_ldapsam: Continuing on regardless, will be unable to allocate new users/groups, and will risk BDCs having inconsistant SIDs ldapsam_setsampwent: 5 entries in the base dc=mydomain,dc=com init_sam_from_ldap: Entry found for user: user1 user1:10001:User 1 init_sam_from_ldap: Entry found for user: machine-01$ machine-01$:25001:machine-01$ init_sam_from_ldap: Entry found for user: machine-02$ machine-02$:25000:machine-02$ init_sam_from_ldap: Entry found for user: user2 user2:10002:User 2 init_sam_from_ldap: Entry found for user: admin admin:0:admin admin Following several fixes I've found, I've tryed to reindex the LDAP master database and rebuild the domain entry. I've made sure that there is only one entry for the domain too without results. I think that the problem is related with the domain entry stored in secrets.tdb. When I delete the LDAP domain entry and execute net getlocalsid [domain], the response is correct. However, when I rebuild the LDAP entry, the error comes back again. Can you please give me any advice or workaround I could apply to fix it? Thank you very much in advance, Alberto -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Samba PDC/LDAP not mapping logon drive
Well it took forever (three days actually) to: 1) setup a working ldap server. Unix users now authenticate against the LDAP server perfectly. 2) Setup samba to use LDAP authentication. 3) Get the WindowsXP machines to become members of the domain. Everything seems to be working fine except for 1) roaming profiles, and 2) User's home directory (logon drive) doesn't get mapped during log in. So basically I can log in to the workstation. My user can even see their home directory shares (via the [homes] share) but it doesn't get mapped automatically as drive E: (or any other drive letter) when they log on. I can sort of live without roaming profiles but the failure to map the logon drive automagically isn't acceptable. Could somebody please help me?? I have the logon stuff setup as: logon path = \\%L\profiles\%U logon drive = E: logon home = \\%L\%U Which I think should map \\SERVER\USERNAME as drive E: autmatically whenever they log in (substituting the proper values for SERVER and USERNAME of course.) It doesn't work. The profile doesn't seem to roam either as I expect it would with logon path. The path exists and I have enabled the thingy in gpedit.msc which is required for WinXP machines. But this is really secondary. I need the logon drive fixed roaming profiles would just be a nice bonus. here's my full smb.conf, sorry to be so verbose but I wanted to include it all because I don't understand much of the LDAP, PDC or roaming profile entrystuff in this so I didn't want to miss something: -BEGIN /etc/samba/smb.conf --- [global] netbios name = SERVER workgroup = MYDOMAIN server string = LDAP PDC [on Gentoo :: Samba server %v] hosts allow = 10.166.10.0/24 127.0.0.0/8 security = user encrypt passwords = yes socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 interfaces = lo eth1 bind interfaces only = yes local master = yes os level = 65 domain master = yes preferred master = yes null passwords = no hide unreadable = yes hide dot files = yes domain logons = yes ;logon script = login.bat OR %U.bat logon path = \\%L\profiles\%U logon drive = E: logon home = \\%L\%U wins support = yes name resolve order = wins lmhosts host bcast dns proxy = no time server = yes log file = /var/log/samba/log.%m max log size = 50 passdb backend = ldapsam:ldaps://127.0.0.1:636/ ldap passwd sync = Yes ldap suffix = dc=sanitized,dc=com ldap admin dn = cn=Manager,dc=sanitized,dc=com ldap ssl = yes ldap group suffix = ou=Group ldap user suffix = ou=People ldap machine suffix = ou=People ldap idmap suffix = ou=People add user script = /usr/sbin/smbldap-useradd -m %u ldap delete dn = Yes #delete user script = /usr/sbin/smbldap-userdel %u add machine script = /usr/sbin/smbldap-useradd -w %u add group script = /usr/sbin/smbldap-groupadd -p %g #delete group script = /usr/sbin/smbldap-groupdel %g add user to group script = /usr/sbin/smbldap-groupmod -m %u %g delete user from group script = /usr/sbin/smbldap-groupmod -x %u %g set primary group script = /usr/sbin/smbldap-usermod -g %g %u [netlogon] path = /var/lib/samba/netlogon guest ok = no read only = yes browseable = no write list = root [profiles] path = /var/lib/samba/profiles browsable = no writable = yes create mode = 0644 directory mode = 0755 [homes] path = /home/%U browseable = no valid users = %S read only = no guest ok = no create mask = 0664 directory mask = 0775 inherit permissions = yes ;[public] ; comment = Public Stuff ; path = /public ; public = yes ; read only = yes ; browseable = yes ; write list = @users -END /etc/samba/smb.conf - Thanks, - Jeff -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Samba PDC/LDAP not mapping logon drive
hello jeff Jeff Wiegley schrieb: Everything seems to be working fine except for 1) roaming profiles, and 2) User's home directory (logon drive) doesn't get mapped during log in. So basically I can log in to the workstation. My user can even see their home directory shares (via the [homes] share) but it doesn't get mapped automatically as drive E: (or any other drive letter) when they log on. my experience showed, that not all windows clients automatically map the drive. workaround: use net use e: /HOME in your logon script. roaming profiles: - please check, if your client is a correct member of the domain. - check unix rights of the filesystem. profiles needs profile acls = yes we're using following entries for the [profile] section: csc policy = disable browsable = no profile acls = yes path = /var/smbdata/profiles writable = yes create mask = 0600 directory mask = 0700 ;logon script = login.bat OR %U.bat you have comment out the logonscript? -- -- greetings, kurt, austria. (http://www.kwnet.at) === this is a posting from a samba *user* - not a samba developer. the posting is created on the base of experiences an may be faulty. so, if contains any mistakes, please feel free to correct it === -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] where is error. samba PDC+LDAP
Hello. Where is error in configuration samba+LDAP. Why samba does not accept my login and password? Workstation Win XP professional SP2 Please help me. Error often can be found in log files, but my log contains not error, as for me. Here is log file: [2006/01/17 16:54:14, 3] smbd/sec_ctx.c:push_sec_ctx(256) push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1 [2006/01/17 16:54:14, 3] smbd/uid.c:push_conn_ctx(365) push_conn_ctx(0) : conn_ctx_stack_ndx = 0 [2006/01/17 16:54:14, 3] smbd/sec_ctx.c:set_sec_ctx(288) setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1 [2006/01/17 16:54:14, 3] smbd/sec_ctx.c:pop_sec_ctx(386) pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0 [2006/01/17 16:54:14, 3] auth/auth.c:check_ntlm_password(219) check_ntlm_password: Checking password for unmapped user [EMAIL PROTECTED] with the new password interface [2006/01/17 16:54:14, 3] auth/auth.c:check_ntlm_password(222) check_ntlm_password: mapped user is: [EMAIL PROTECTED] [2006/01/17 16:54:14, 3] auth/auth.c:check_ntlm_password(268) check_ntlm_password: guest authentication for user [] succeeded [2006/01/17 16:54:14, 3] libsmb/ntlmssp_sign.c:ntlmssp_sign_init(319) NTLMSSP Sign/Seal - Initialising with flags: [2006/01/17 16:54:14, 3] libsmb/ntlmssp.c:debug_ntlmssp_flags(62) Got NTLMSSP neg_flags=0x60088215 [2006/01/17 16:54:14, 3] smbd/password.c:register_vuid(222) User name: nobodyReal name: nobody [2006/01/17 16:54:14, 3] smbd/password.c:register_vuid(241) UNIX uid 65534 is UNIX user nobody, and will be vuid 100 [2006/01/17 16:54:14, 3] smbd/process.c:process_smb(1091) Transaction 3 of length 78 [2006/01/17 16:54:14, 3] smbd/process.c:switch_message(886) switch message SMBtconX (pid 86794) conn 0x0 [2006/01/17 16:54:14, 3] smbd/sec_ctx.c:set_sec_ctx(288) setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0 [2006/01/17 16:54:14, 3] smbd/service.c:make_connection_snum(479) Connect path is '/tmp' for service [IPC$] [2006/01/17 16:54:14, 3] lib/util_seaccess.c:se_access_check(251) [2006/01/17 16:54:14, 3] lib/util_seaccess.c:se_access_check(252) se_access_check: user sid is S-1-5-21-2252347010-2415896038-3271642905-501 se_access_check: also S-1-5-21-2252347010-2415896038-3271642905-514 se_access_check: also S-1-1-0 se_access_check: also S-1-5-2 se_access_check: also S-1-5-32-546 [2006/01/17 16:54:14, 3] smbd/vfs.c:vfs_init_default(206) Initialising default vfs hooks [2006/01/17 16:54:14, 3] lib/util_seaccess.c:se_access_check(251) [2006/01/17 16:54:14, 3] lib/util_seaccess.c:se_access_check(252) se_access_check: user sid is S-1-5-21-2252347010-2415896038-3271642905-501 se_access_check: also S-1-5-21-2252347010-2415896038-3271642905-514 se_access_check: also S-1-1-0 se_access_check: also S-1-5-2 se_access_check: also S-1-5-32-546 [2006/01/17 16:54:14, 3] smbd/sec_ctx.c:set_sec_ctx(288) setting sec ctx (65534, 514) - sec_ctx_stack_ndx = 0 [2006/01/17 16:54:14, 3] smbd/service.c:make_connection_snum(642) alex-df3 (192.168.1.39) connect to service IPC$ initially as user nobody (uid=65534, gid=514) (pid 86794) [2006/01/17 16:54:14, 3] smbd/sec_ctx.c:set_sec_ctx(288) setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0 [2006/01/17 16:54:14, 3] smbd/reply.c:reply_tcon_and_X(455) tconX service=IPC$ [2006/01/17 16:54:14, 3] smbd/process.c:process_smb(1091) Transaction 4 of length 108 [2006/01/17 16:54:14, 3] smbd/process.c:switch_message(886) switch message SMBntcreateX (pid 86794) conn 0x82db800 [2006/01/17 16:54:14, 3] smbd/sec_ctx.c:set_sec_ctx(288) setting sec ctx (65534, 514) - sec_ctx_stack_ndx = 0 [2006/01/17 16:54:14, 3] smbd/nttrans.c:nt_open_pipe(514) nt_open_pipe: Known pipe NETLOGON opening. [2006/01/17 16:54:14, 3] smbd/process.c:process_smb(1091) Transaction 5 of length 140 [2006/01/17 16:54:14, 3] smbd/process.c:switch_message(886) switch message SMBwriteX (pid 86794) conn 0x82db800 [2006/01/17 16:54:14, 3] rpc_server/srv_pipe.c:api_pipe_bind_req(887) api_pipe_bind_req: \PIPE\NETLOGON - \PIPE\lsass [2006/01/17 16:54:14, 3] rpc_server/srv_pipe.c:check_bind_req(762) check_bind_req for \PIPE\NETLOGON [2006/01/17 16:54:14, 3] smbd/pipes.c:reply_pipe_write_and_X(199) writeX-IPC pnum=761c nwritten=72 [2006/01/17 16:54:14, 3] smbd/process.c:process_smb(1091) Transaction 6 of length 63 [2006/01/17 16:54:14, 3] smbd/process.c:switch_message(886) switch message SMBreadX (pid 86794) conn 0x82db800 [2006/01/17 16:54:14, 3] smbd/pipes.c:reply_pipe_read_and_X(242) readX-IPC pnum=761c min=1024 max=1024 nread=68 [2006/01/17 16:54:14, 3] smbd/process.c:process_smb(1091) Transaction 7 of length 162 [2006/01/17 16:54:14, 3] smbd/process.c:switch_message(886) switch message SMBwriteX (pid 86794) conn 0x82db800 [2006/01/17 16:54:14, 3] rpc_server/srv_pipe_hnd.c:free_pipe_context(542) free_pipe_context: destroying talloc pool of size 0 [2006/01/17 16:54:14, 3] rpc_server/srv_pipe.c:api_rpcTNP(1538) api_rpcTNP: rpc command: NET_REQCHAL [2006/01/17 16:54:14, 3] rpc_server/srv_pipe_hnd.c:free_pipe_context(542)
Re: Abwesenheitsnotiz: [Samba] where is error. samba PDC+LDAP
[EMAIL PROTECTED] пишет: Hallo, ich bin bis einschließlich 20.1.2006 im Urlaub. Danach werde ich Ihre Mail umgehend beantworten. In dringenden Fällen rufen sie bitte die 0751/5695-500 an. Dort wird man Ihnen einen Vertreter von mir benennen, der sich um Ihr Problem kümmert. Mit freundlichen Grüßen Markus Scheffknecht In english please. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Samba PDC, LDAP and permissions
Hi all, I have a Samba PDC running on OpenSuSe 10 with LDAP as the backend and am running Mandriva 2006 as a member server with a few shares for users. The PDC seems OK and I've added the member using the instructions in the Samba example documents and I'm at the following point: OpenLDAP is running on the PDC itself. I can login to Linux as any LDAP user account suggesting that NSS Ldap is functioning correctly. Running getent passwd and getent group on the PDC provide a user and group list confirming I can set user and group ownership on any file or folder to a valid LDAP SambaSAM account and set permissions accordingly and these persmissions have the appropriate effect on user's access. The PDC's name is SMB1, the Domain is BGS. If I run net getlocalsid and net getlocasid BGS on the PDC I receive the same SID in the both cases. Smbldap-tools from Idealx.org works fine and I can add, modify and delete user's accounts from the command line without problems. The whole LDAP setup is from the idealx.org example Onto the member server (SMB2)... I've only got one domain so I'm not using Winbind relying instead on the LDAP database on the PDC. The server will authenticate UNIX users and getent returns complete user and group lists. Smb.conf uses ldapsam as the idmap backend and the second server successfully works as a BDC taking logins from clients on the network. There are three users listed as Domain Admins. If any of these users logs into a client and selects a folder or file from a shared directory on the BDC and opens the permissions tab in properties the permission on a folder shows as SMB2\Domain Admins instead of BGS\Domain Admins. If you printscreen the window as the client resolves the SID's however, the SID/RID of the SMB1/Domain Admins group is the same as the SID from the PDC (BGS/Domain Admins). If a domain admin tries to set permission on a folder, it accepts the changes but they vanish from the check boxes after it's been OK'd. The modified permissions do appear in the advanced tab though. Is there a reason for the difference in Domain names? Does it matter if the SIDs are the same? Have I missed out an important setlocalsid command? Help please, I'm getting stressed ;) Cheers, Jools -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
RE: wiki.samba.org ? [was Re: [Samba] Re: SAMBA/PDC + LDAP HELP please?= For your profiles.]
Ok, ill see if i can setup a wiki which i will maintain, i'v got the servers etc, but i'm not so in to buildin a web site, i'll notify the samba list when ready. I use only debian for my servers and setup, i have lots of experience with login scrips etc. atm on windows and novell platforms, i have running debian with samba, ldap, cups, acl,etc3, pnp print setup (raw printing), fax is in progress, kix login script, use of usrmgr, and ldapadmin. Im trying to integrate postfix and exchange 4linux into it, and also i'mlokking at the hula project. When ready i'll put a howto for this on my wiki. Greetz louis -Original Message- From: Gerald (Jerry) Carter[EMAIL PROTECTED] Sent: 07-10-05 18:15:01 To: Craig White[EMAIL PROTECTED] Cc: samba@lists.samba.orgsamba@lists.samba.org Subject: wiki.samba.org ? [was Re: [Samba] Re: SAMBA/PDC + LDAP HELP please?= For your profiles.] -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Craig White wrote: I wonder if having some sort of wiki on samba web site wouldn't be useful for things like logon scripts and registry settings to be shared/discussed so they had their own longevity and current appropriateness as email archives don't often reflect the changing nature of things and sometimes the samba documentation has different objectives. We've talked about it before but there is a fear that a wiki would turn into a propogation mechanism for Samba urban legends. Someone (or a team of people) would need act as editors. Truthfully, if it were done right, it would be probably be a good thing. But if it weren't it would be a really bad thing. It's definitley too much for the developers to take on. cheers, jerry = Alleviating the pain of Windows(tm) --- http://www.samba.org GnuPG Key- http://www.plainjoe.org/gpg_public.asc There's an anonymous coward in all of us. --anonymous -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.0 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD8DBQFDRp8FIR7qMdg1EfYRApmYAJ9CrvBqWk/ZMHgAmfLGAoBm6jlrIACfcMxD VUqUozi8hudDVzpivApFjyM= =EQBj -END PGP SIGNATURE- -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
RE: [Samba] Re: SAMBA/PDC + LDAP HELP please? = For your profiles.
Hi, For the profile problems. This is my working config. in the smb.conf (global setting ) ## MISC PROFILE logon script = logon.cmd logon home = \\%L\%U logon path = \\%L\profiles\%U logon drive = P: and [profiles] path = /home/samba/profiles comment = Profiel omgeving read only = no create mask = 0600 directory mask = 0700 ## browseable = yes can be no also, but i need it to be browsable. ## if you want it browsable but not shown, add a $ behind [profiles$] ## and same in the logon path above. browseable = Yes guest ok = Yes csc policy = disable # next line is a great way to secure the profiles force user = %U # next line allows administrator to access all profiles valid users = %U @Domain Admins when this is done. add 2 registry keys. /cut_here REGEDIT4 ; do not roam the following folders [HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Winlogon] ExcludeProfileDirs=Temporary Internet Files;History;Temp ;- ; force Windows XP Professional clients to accept Samba as a PDC [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters] requiresignorseal=dword: signsecurechannel=dword: ;- ; Do not check for user ownership of Roaming Profile Folders [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System] CompatibleRUPSecurity=dword:0001 /cut_here this wil work, and many thanks for who help me out some time ago ;-) Louis -Oorspronkelijk bericht- Van: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Namens Ryan Taylor Verzonden: donderdag 6 oktober 2005 17:56 Aan: samba@lists.samba.org Onderwerp: [Samba] Re: SAMBA/PDC + LDAP HELP please? Ok, I figured it out!! Thank you for the help and for others the change was in /etc/ldap.conf and I had: rootbinddn = cn=root,ou=???,dc=beefylinux,dc=com i removed the ou=group after root and changed rootbinddn to just binddn and that did it.. Everything works great except for the profiles which the windows machine doesn't seem to know about %L variable. I imagine this is because I am on Samba 3.0.10 not 3.0.20a so maybe its a new variable... Anyway, just wanted to say Thank you to everyone for the help. The microsoft rep. assigned to out company is not going to be happy next week when time to renew!! ha, i love it. --Ryan Taylor [EMAIL PROTECTED] Micro Consultants -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
RE: [Samba] Re: SAMBA/PDC + LDAP HELP please? = For your profiles.
On Fri, 2005-10-07 at 08:54 +0200, Louis van Belle wrote: when this is done. add 2 registry keys. /cut_here REGEDIT4 ; do not roam the following folders [HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Winlogon] ExcludeProfileDirs=Temporary Internet Files;History;Temp ;- ; force Windows XP Professional clients to accept Samba as a PDC [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters] requiresignorseal=dword: signsecurechannel=dword: ;- ; Do not check for user ownership of Roaming Profile Folders [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System] CompatibleRUPSecurity=dword:0001 /cut_here - I hate to see people encouraged to apply unnecessary fixes that were suggested to work around issues that were created as temporary solutions to the moving target of Windows. requiresignorseal / signsecurechannel issues have long since been fixed in Samba - no need for those registry changes - this was a Samba 2.x issue. I am pretty certain that the 'CompatibleRUPSecurity' registry patch isn't needed any longer as well, I think that was an issue created from original release of WinXP SP1 The 'ExcludeProfileDirs' - those folders should have been excluded automatically. Craig -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
RE: [Samba] Re: SAMBA/PDC + LDAP HELP please? = For your profiles.
realy, thank you for notifing me.. but why is this then in the manual http://us2.samba.org/samba/docs/man/Samba-HOWTO-Collection/ProfileMgmt.html Windows XP Service Pack 1 There is a security check new to Windows XP (or maybe only Windows XP service pack 1). It can be disabled via a group policy in the Active Directory. The policy is called: Computer Configuration\Administrative Templates\System\User Profiles\ Do not check for user ownership of Roaming Profile Folders ( is same as CompatibleRUPSecurity=dword:0001 ) And yes this is also in SP2. I used this to avoid problems, and it works for me. As i see in the sambalist lots of people have the same problems and questions so therefor i give them my working config, And this is what i did. that of the requiresignorseal / signsecurechannel i didnt know, so im going to test this in my 2e office location. thank you voor notifing me for that. the ExcludeProfileDirs is used in my default user profile. and this are the default directories : Geschiedenis, Local Settings, Temp en Temporary Internet Files default there is also Local Settings.. and i want these to move also in to the profile dir on the server, there are files in i need when users move to an other pc. for example. %USERPROFILE%\Local Settings\Application Data\Microsoft\Outlook ( extend.dat ) Stores a reference to which extensions (addins) you have loaded. %USERPROFILE%\Local Settings\Application Data\Microsoft\Credentials Contains setting of my users, so i excluded this out of the excludeprofiledir just some comment.. Louis -Oorspronkelijk bericht- Van: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Namens Craig White Verzonden: vrijdag 7 oktober 2005 14:39 Aan: samba@lists.samba.org Onderwerp: RE: [Samba] Re: SAMBA/PDC + LDAP HELP please? = For your profiles. On Fri, 2005-10-07 at 08:54 +0200, Louis van Belle wrote: when this is done. add 2 registry keys. /cut_here REGEDIT4 ; do not roam the following folders [HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Winlogon] ExcludeProfileDirs=Temporary Internet Files;History;Temp ;-- --- ; force Windows XP Professional clients to accept Samba as a PDC [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\ Parameters] requiresignorseal=dword: signsecurechannel=dword: ;-- --- ; Do not check for user ownership of Roaming Profile Folders [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System] CompatibleRUPSecurity=dword:0001 /cut_here - I hate to see people encouraged to apply unnecessary fixes that were suggested to work around issues that were created as temporary solutions to the moving target of Windows. requiresignorseal / signsecurechannel issues have long since been fixed in Samba - no need for those registry changes - this was a Samba 2.x issue. I am pretty certain that the 'CompatibleRUPSecurity' registry patch isn't needed any longer as well, I think that was an issue created from original release of WinXP SP1 The 'ExcludeProfileDirs' - those folders should have been excluded automatically. Craig -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
RE: [Samba] Re: SAMBA/PDC + LDAP HELP please? = For your profiles.
On Fri, 2005-10-07 at 15:51 +0200, Louis van Belle wrote: realy, thank you for notifing me.. but why is this then in the manual http://us2.samba.org/samba/docs/man/Samba-HOWTO-Collection/ProfileMgmt.html Windows XP Service Pack 1 There is a security check new to Windows XP (or maybe only Windows XP service pack 1). It can be disabled via a group policy in the Active Directory. The policy is called: Computer Configuration\Administrative Templates\System\User Profiles\ Do not check for user ownership of Roaming Profile Folders ( is same as CompatibleRUPSecurity=dword:0001 ) And yes this is also in SP2. I used this to avoid problems, and it works for me. As i see in the sambalist lots of people have the same problems and questions so therefor i give them my working config, And this is what i did. that of the requiresignorseal / signsecurechannel i didnt know, so im going to test this in my 2e office location. thank you voor notifing me for that. the ExcludeProfileDirs is used in my default user profile. and this are the default directories : Geschiedenis, Local Settings, Temp en Temporary Internet Files default there is also Local Settings.. and i want these to move also in to the profile dir on the server, there are files in i need when users move to an other pc. for example. %USERPROFILE%\Local Settings\Application Data\Microsoft\Outlook ( extend.dat ) Stores a reference to which extensions (addins) you have loaded. %USERPROFILE%\Local Settings\Application Data\Microsoft\Credentials Contains setting of my users, so i excluded this out of the excludeprofiledir just some comment.. - good points - perhaps John Terpstra might want to comment on the 'CompatibleRUPSecurity' registry setting and continuity of this setting. I haven't bothered with it and haven't had any issues. I wonder if having some sort of wiki on samba web site wouldn't be useful for things like logon scripts and registry settings to be shared/discussed so they had their own longevity and current appropriateness as email archives don't often reflect the changing nature of things and sometimes the samba documentation has different objectives. Craig -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
wiki.samba.org ? [was Re: [Samba] Re: SAMBA/PDC + LDAP HELP please? = For your profiles.]
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Craig White wrote: I wonder if having some sort of wiki on samba web site wouldn't be useful for things like logon scripts and registry settings to be shared/discussed so they had their own longevity and current appropriateness as email archives don't often reflect the changing nature of things and sometimes the samba documentation has different objectives. We've talked about it before but there is a fear that a wiki would turn into a propogation mechanism for Samba urban legends. Someone (or a team of people) would need act as editors. Truthfully, if it were done right, it would be probably be a good thing. But if it weren't it would be a really bad thing. It's definitley too much for the developers to take on. cheers, jerry = Alleviating the pain of Windows(tm) --- http://www.samba.org GnuPG Key- http://www.plainjoe.org/gpg_public.asc There's an anonymous coward in all of us. --anonymous -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.0 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD8DBQFDRp8FIR7qMdg1EfYRApmYAJ9CrvBqWk/ZMHgAmfLGAoBm6jlrIACfcMxD VUqUozi8hudDVzpivApFjyM= =EQBj -END PGP SIGNATURE- -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Re: SAMBA/PDC + LDAP HELP please? = For your profiles.
On Friday 07 October 2005 07:51, Louis van Belle wrote: realy, thank you for notifing me.. but why is this then in the manual http://us2.samba.org/samba/docs/man/Samba-HOWTO-Collection/ProfileMgmt.html Windows XP Service Pack 1 There is a security check new to Windows XP (or maybe only Windows XP service pack 1). It can be disabled via a group policy in the Active Directory. The policy is called: Computer Configuration\Administrative Templates\System\User Profiles\ Do not check for user ownership of Roaming Profile Folders ( is same as CompatibleRUPSecurity=dword:0001 ) And yes this is also in SP2. This was user contributed documentation. The HOWTO document is a broad collection of tips, explanations, hints, and detailed explanations of the inner workings of Samba. I have re-read the chapter and believe the information is still useful, though it could do with some updating. Please take note though, the HOWTO is NOT a deployment guide. Is anyone volunteering to review and revise this chapter? I do not have time right now. Detailed example configurations for Samba, support software and Windows clients is provided in the book Samba-3 by Example ISBN 013188221X, available from Amazon.Com and in PDF from: http://www.samba.org/samba/docs/Samba3-ByExample.pdf Samba3 by Example is a prescriptive guidance document that provides detailed, step-by-step, deployment information for complete networking solutions. The book, The Official Samba-3 HOWTO and Reference Guide is NOT a deployment guide, but it provides detailed documentation of the various capabilities and components of Samba - without showing detailed deployment steps. Cheers, John T. I used this to avoid problems, and it works for me. As i see in the sambalist lots of people have the same problems and questions so therefor i give them my working config, And this is what i did. that of the requiresignorseal / signsecurechannel i didnt know, so im going to test this in my 2e office location. thank you voor notifing me for that. the ExcludeProfileDirs is used in my default user profile. and this are the default directories : Geschiedenis, Local Settings, Temp en Temporary Internet Files default there is also Local Settings.. and i want these to move also in to the profile dir on the server, there are files in i need when users move to an other pc. for example. %USERPROFILE%\Local Settings\Application Data\Microsoft\Outlook ( extend.dat ) Stores a reference to which extensions (addins) you have loaded. %USERPROFILE%\Local Settings\Application Data\Microsoft\Credentials Contains setting of my users, so i excluded this out of the excludeprofiledir just some comment.. Louis -Oorspronkelijk bericht- Van: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Namens Craig White Verzonden: vrijdag 7 oktober 2005 14:39 Aan: samba@lists.samba.org Onderwerp: RE: [Samba] Re: SAMBA/PDC + LDAP HELP please? = For your profiles. On Fri, 2005-10-07 at 08:54 +0200, Louis van Belle wrote: when this is done. add 2 registry keys. /cut_here REGEDIT4 ; do not roam the following folders [HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Winlogon] ExcludeProfileDirs=Temporary Internet Files;History;Temp ;-- --- ; force Windows XP Professional clients to accept Samba as a PDC [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\ Parameters] requiresignorseal=dword: signsecurechannel=dword: ;-- --- ; Do not check for user ownership of Roaming Profile Folders [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System] CompatibleRUPSecurity=dword:0001 /cut_here - I hate to see people encouraged to apply unnecessary fixes that were suggested to work around issues that were created as temporary solutions to the moving target of Windows. requiresignorseal / signsecurechannel issues have long since been fixed in Samba - no need for those registry changes - this was a Samba 2.x issue. I am pretty certain that the 'CompatibleRUPSecurity' registry patch isn't needed any longer as well, I think that was an issue created from original release of WinXP SP1 The 'ExcludeProfileDirs' - those folders should have been excluded automatically. Craig -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba -- John H Terpstra Samba-Team Member Phone: +1 (650) 580-8668 Author: The Official Samba-3 HOWTO Reference Guide, 2 Ed., ISBN: 0131882228 Samba-3 by Example, 2 Ed., ISBN: 0131882221X Hardening Linux, ISBN: 0072254971 Other books in production
Re: wiki.samba.org ? [was Re: [Samba] Re: SAMBA/PDC + LDAP HELP please? = For your profiles.]
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Tomasz Chmielewski wrote: Gerald (Jerry) Carter schrieb: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Craig White wrote: I wonder if having some sort of wiki on samba web site wouldn't be useful for things like logon scripts and registry settings to be shared/discussed so they had their own longevity and current appropriateness as email archives don't often reflect the changing nature of things and sometimes the samba documentation has different objectives. We've talked about it before but there is a fear that a wiki would turn into a propogation mechanism for Samba urban legends. Someone (or a team of people) would need act as editors. Truthfully, if it were done right, it would be probably be a good thing. But if it weren't it would be a really bad thing. It's definitley too much for the developers to take on. IMHO Samba wiki could be a great source of info for both new and advanced users. Why should Samba wiki turn into something bad, if lots of other open source projects have wikis too, and they are useful? :-) We have a tremendous amount of urban legend on this list. Just count the number of times someone as suggested the sign-n-seal registry file for XP clients using a Samba 3.0.x server. But we have at least one volunteer, Craig. And I told him I would look into it. So we'll see what happens. Anyone else interested in monitoring/editing a wiki to ensure accurate information? cheers, jerry -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.0 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD8DBQFDRsHpIR7qMdg1EfYRAqDnAKC2y+4gW5ZawOjSQ4V/h9RFEAlWkgCg1h4I 5KHpupjaqWNbMKZa95guBJ0= =tieJ -END PGP SIGNATURE- -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: wiki.samba.org ? [was Re: [Samba] Re: SAMBA/PDC + LDAP HELP please? = For your profiles.]
Gerald (Jerry) Carter schrieb: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Craig White wrote: I wonder if having some sort of wiki on samba web site wouldn't be useful for things like logon scripts and registry settings to be shared/discussed so they had their own longevity and current appropriateness as email archives don't often reflect the changing nature of things and sometimes the samba documentation has different objectives. We've talked about it before but there is a fear that a wiki would turn into a propogation mechanism for Samba urban legends. Someone (or a team of people) would need act as editors. Truthfully, if it were done right, it would be probably be a good thing. But if it weren't it would be a really bad thing. It's definitley too much for the developers to take on. IMHO Samba wiki could be a great source of info for both new and advanced users. Why should Samba wiki turn into something bad, if lots of other open source projects have wikis too, and they are useful? -- Tomek http://wpkg.org WPKG - software deployment and upgrades with Samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: wiki.samba.org ? [was Re: [Samba] Re: SAMBA/PDC + LDAP HELP please? = For your profiles.]
Gerald (Jerry) Carter schrieb: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Tomasz Chmielewski wrote: Gerald (Jerry) Carter schrieb: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Craig White wrote: I wonder if having some sort of wiki on samba web site wouldn't be useful for things like logon scripts and registry settings to be shared/discussed so they had their own longevity and current appropriateness as email archives don't often reflect the changing nature of things and sometimes the samba documentation has different objectives. We've talked about it before but there is a fear that a wiki would turn into a propogation mechanism for Samba urban legends. Someone (or a team of people) would need act as editors. Truthfully, if it were done right, it would be probably be a good thing. But if it weren't it would be a really bad thing. It's definitley too much for the developers to take on. IMHO Samba wiki could be a great source of info for both new and advanced users. Why should Samba wiki turn into something bad, if lots of other open source projects have wikis too, and they are useful? :-) We have a tremendous amount of urban legend on this list. Just count the number of times someone as suggested the sign-n-seal registry file for XP clients using a Samba 3.0.x server. baah, some time ago I asked the same question :) when I couldn't join XP machines to the domain (where Windows 2000 was working fine) - I spent a couple of hours trying to figure out what's wrong (some old wins.dat / browse.dat on that test server was the cause). But we have at least one volunteer, Craig. And I told him I would look into it. So we'll see what happens. Anyone else interested in monitoring/editing a wiki to ensure accurate information? that's the whole beauty of wiki (at least mediawiki I used, and which is used by wikipedia.org): - you can easily see recent changes (new pages/articles, changes on pages, who made them etc.) - you can easily compare changes (i.e. compare the state of an article/page we have now with the state we had previously) - so it's just a matter of seconds to spot if someone posted crap or something valuable I think the most important thing (and the hardest, too) would be to design good categories to post articles in (some articles would be of course in multiple categories), like: - different Samba versions (2, 3, 4...) - backends - printing - configuration - installation etc. Basically, lots of categories could come from Samba HOWTO, but wouldn't be just the articles copied/pasted from the HOWTO, but something posted by the users, and eventually commented, corrected etc. I could imagine myself commenting the sign'n'seal hack :) -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Re: wiki.samba.org ? [was Re: Re: SAMBA/PDC + LDAP HELP please? = For your profiles.]
Gerald (Jerry) Carter wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Tomasz Chmielewski wrote: Gerald (Jerry) Carter schrieb: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Craig White wrote: I wonder if having some sort of wiki on samba web site wouldn't be useful for things like logon scripts and registry settings to be shared/discussed so they had their own longevity and current appropriateness as email archives don't often reflect the changing nature of things and sometimes the samba documentation has different objectives. We've talked about it before but there is a fear that a wiki would turn into a propogation mechanism for Samba urban legends. Someone (or a team of people) would need act as editors. Truthfully, if it were done right, it would be probably be a good thing. But if it weren't it would be a really bad thing. It's definitley too much for the developers to take on. IMHO Samba wiki could be a great source of info for both new and advanced users. Why should Samba wiki turn into something bad, if lots of other open source projects have wikis too, and they are useful? :-) We have a tremendous amount of urban legend on this list. Just count the number of times someone as suggested the sign-n-seal registry file for XP clients using a Samba 3.0.x server. But we have at least one volunteer, Craig. And I told him I would look into it. So we'll see what happens. Anyone else interested in monitoring/editing a wiki to ensure accurate information? cheers, jerry -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.0 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD8DBQFDRsHpIR7qMdg1EfYRAqDnAKC2y+4gW5ZawOjSQ4V/h9RFEAlWkgCg1h4I 5KHpupjaqWNbMKZa95guBJ0= =tieJ -END PGP SIGNATURE- I'm new, but I'd help where I could. Sean -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] SAMBA/PDC + LDAP HELP please?
On October 5, 2005 06:28 pm, Ryan Taylor wrote: Error 49 from the slapd docs is an invalid credentials error. So you're problem will be in the libnss config file /etc/ldap.conf not in /etc/ldap/ldap.conf. Check to make sure that both binddn and rootdn are defined in the file and make sure that you have the proper rootdn password in /etc/ldap.secret ie. binddn cn=nss,ou=Admins,dc=x bindpw ldap rootbinddn cn=root,dc=x You can also run ethereal to see what is getting sent down the wire as long as you turn ssl/tls off. It's pretty handy for figuring out stuff like this out. Ryan More information... below is my log after running getent group | grep Domain thank you -ryan Oct 5 19:25:04 beefylinux slapd[3320]: conn=0 fd=11 ACCEPT from IP= 127.0.0.1:32894 http://127.0.0.1:32894 (IP=0.0.0.0:389http://0.0.0.0:389 ) Oct 5 19:25:04 beefylinux slapd[3320]: conn=0 op=0 BIND dn=cn=Manager,ou=DSA,dc=beefylinux,dc=com method=128 Oct 5 19:25:04 beefylinux slapd[3320]: conn=0 op=0 RESULT tag=97 err=49 text= Oct 5 19:25:04 beefylinux slapd[3320]: conn=0 op=1 UNBIND Oct 5 19:25:04 beefylinux slapd[3320]: conn=0 fd=11 closed Oct 5 19:26:38 beefylinux slapd[3320]: conn=1 fd=11 ACCEPT from IP= 127.0.0.1:32895 http://127.0.0.1:32895 (IP=0.0.0.0:389http://0.0.0.0:389 ) Oct 5 19:26:38 beefylinux slapd[3320]: conn=1 op=0 BIND dn=cn=Manager,ou=DSA,dc=beefylinux,dc=com method=128 Oct 5 19:26:38 beefylinux slapd[3320]: conn=1 op=0 RESULT tag=97 err=49 text= Oct 5 19:26:38 beefylinux slapd[3320]: conn=1 op=1 UNBIND Oct 5 19:26:38 beefylinux slapd[3320]: conn=1 fd=11 closed -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Re: SAMBA/PDC + LDAP HELP please?
Ok, I figured it out!! Thank you for the help and for others the change was in /etc/ldap.conf and I had: rootbinddn = cn=root,ou=???,dc=beefylinux,dc=com i removed the ou=group after root and changed rootbinddn to just binddn and that did it.. Everything works great except for the profiles which the windows machine doesn't seem to know about %L variable. I imagine this is because I am on Samba 3.0.10 not 3.0.20a so maybe its a new variable... Anyway, just wanted to say Thank you to everyone for the help. The microsoft rep. assigned to out company is not going to be happy next week when time to renew!! ha, i love it. --Ryan Taylor [EMAIL PROTECTED] Micro Consultants -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] SAMBA/PDC + LDAP HELP please?
Thank you to John Terpstra and his book Samba-3 by Example I have made great strides. Seems like I am one step away... which is getting the system to check ldap, which it seems to be ignoring. Has anyone has this problem? I ran authconfig and told it to you ldap as well as edited the nsswitch.confto files ldap where supposed to be. But every getent command just pulls system info and nothing from ldap... is this a redhat specific problem maybe? Thank you for suggestions, Ryan Taylor [EMAIL PROTECTED] -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] SAMBA/PDC + LDAP HELP please?
More information... below is my log after running getent group | grep Domain thank you -ryan Oct 5 19:25:04 beefylinux slapd[3320]: conn=0 fd=11 ACCEPT from IP= 127.0.0.1:32894 http://127.0.0.1:32894 (IP=0.0.0.0:389http://0.0.0.0:389 ) Oct 5 19:25:04 beefylinux slapd[3320]: conn=0 op=0 BIND dn=cn=Manager,ou=DSA,dc=beefylinux,dc=com method=128 Oct 5 19:25:04 beefylinux slapd[3320]: conn=0 op=0 RESULT tag=97 err=49 text= Oct 5 19:25:04 beefylinux slapd[3320]: conn=0 op=1 UNBIND Oct 5 19:25:04 beefylinux slapd[3320]: conn=0 fd=11 closed Oct 5 19:26:38 beefylinux slapd[3320]: conn=1 fd=11 ACCEPT from IP= 127.0.0.1:32895 http://127.0.0.1:32895 (IP=0.0.0.0:389http://0.0.0.0:389 ) Oct 5 19:26:38 beefylinux slapd[3320]: conn=1 op=0 BIND dn=cn=Manager,ou=DSA,dc=beefylinux,dc=com method=128 Oct 5 19:26:38 beefylinux slapd[3320]: conn=1 op=0 RESULT tag=97 err=49 text= Oct 5 19:26:38 beefylinux slapd[3320]: conn=1 op=1 UNBIND Oct 5 19:26:38 beefylinux slapd[3320]: conn=1 fd=11 closed -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] SAMBA/PDC + LDAP HELP please?
On Wed, 2005-10-05 at 19:28 -0400, Ryan Taylor wrote: More information... below is my log after running getent group | grep Domain thank you -ryan Oct 5 19:25:04 beefylinux slapd[3320]: conn=0 fd=11 ACCEPT from IP= 127.0.0.1:32894 http://127.0.0.1:32894 (IP=0.0.0.0:389http://0.0.0.0:389 ) Oct 5 19:25:04 beefylinux slapd[3320]: conn=0 op=0 BIND dn=cn=Manager,ou=DSA,dc=beefylinux,dc=com method=128 Oct 5 19:25:04 beefylinux slapd[3320]: conn=0 op=0 RESULT tag=97 err=49 text= Oct 5 19:25:04 beefylinux slapd[3320]: conn=0 op=1 UNBIND Oct 5 19:25:04 beefylinux slapd[3320]: conn=0 fd=11 closed Oct 5 19:26:38 beefylinux slapd[3320]: conn=1 fd=11 ACCEPT from IP= 127.0.0.1:32895 http://127.0.0.1:32895 (IP=0.0.0.0:389http://0.0.0.0:389 ) Oct 5 19:26:38 beefylinux slapd[3320]: conn=1 op=0 BIND dn=cn=Manager,ou=DSA,dc=beefylinux,dc=com method=128 Oct 5 19:26:38 beefylinux slapd[3320]: conn=1 op=0 RESULT tag=97 err=49 text= Oct 5 19:26:38 beefylinux slapd[3320]: conn=1 op=1 UNBIND Oct 5 19:26:38 beefylinux slapd[3320]: conn=1 fd=11 closed err=49 means bad credentials smbpasswd -w Password_of_ldap_admin_as_defined_in_smb.conf Craig -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
RE: [Samba] SAMBA/PDC + LDAP HELP please?
Hi, If you are using Fedora and have selinux enabled for your build, at the console setenforce 0, and then try getent. If successful, I would suggest modifying selinux policy to accommodate the need for access. Just a thought, Guille -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ryan Taylor Sent: Wednesday, October 05, 2005 4:29 PM To: samba@lists.samba.org Subject: [Samba] SAMBA/PDC + LDAP HELP please? More information... below is my log after running getent group | grep Domain thank you -ryan Oct 5 19:25:04 beefylinux slapd[3320]: conn=0 fd=11 ACCEPT from IP= 127.0.0.1:32894 http://127.0.0.1:32894 (IP=0.0.0.0:389http://0.0.0.0:389 ) Oct 5 19:25:04 beefylinux slapd[3320]: conn=0 op=0 BIND dn=cn=Manager,ou=DSA,dc=beefylinux,dc=com method=128 Oct 5 19:25:04 beefylinux slapd[3320]: conn=0 op=0 RESULT tag=97 err=49 text= Oct 5 19:25:04 beefylinux slapd[3320]: conn=0 op=1 UNBIND Oct 5 19:25:04 beefylinux slapd[3320]: conn=0 fd=11 closed Oct 5 19:26:38 beefylinux slapd[3320]: conn=1 fd=11 ACCEPT from IP= 127.0.0.1:32895 http://127.0.0.1:32895 (IP=0.0.0.0:389http://0.0.0.0:389 ) Oct 5 19:26:38 beefylinux slapd[3320]: conn=1 op=0 BIND dn=cn=Manager,ou=DSA,dc=beefylinux,dc=com method=128 Oct 5 19:26:38 beefylinux slapd[3320]: conn=1 op=0 RESULT tag=97 err=49 text= Oct 5 19:26:38 beefylinux slapd[3320]: conn=1 op=1 UNBIND Oct 5 19:26:38 beefylinux slapd[3320]: conn=1 fd=11 closed -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] SAMBA/PDC + LDAP HELP please?
Hi, I have been trying to work this out on my own now for about a week and feel like I am so close..haha. I have samba setup as a PDC and in theory authenticating users through openLDAP with the use of smbldap-tools by IDEALX. I have checked the windows registry fix, but still no luck. When I try to join the domain as root, I get the error: Username could not be found Any help would be greatly, greatly appreciated as I am at the end of my time to get this job done. I don't need encryption and don't mind if everything is plain text..(security not issue yet) I have included all configs i believe are important (minus the comments to make them shorter) please let me know if I can provide anything else! Thank you in advance for your time, Ryan Taylor [EMAIL PROTECTED] ** *** /ETC/SAMBA/SMB.CONF ** #=== Global Settings = [global] workgroup = BEEFY-NT netbios name = PDC-SRV #enable privileges = yes interfaces = 192.168.0.69 http://192.168.0.69/ username map = /etc/samba/smbusers server string = Samba Server %v security = user encrypt passwords = Yes min passwd length = 3 obey pam restrictions = No #unix password sync = Yes #passwd program = /opt/IDEALX/sbin/smbldap-passwd -u %u #passwd chat = Changing password for*\nNew password* %n\n *Retype new password* %n\n ldap passwd sync = Yes log level = 2 syslog = 2 log file = /var/log/samba/log.%m max log size = 10 time server = Yes socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 mangling method = hash2 Dos charset = 850 Unix charset = ISO8859-1 logon script = logon.bat logon drive = H: logon home = logon path = domain logons = Yes os level = 65 preferred master = Yes domain master = Yes wins support = Yes passdb backend = ldapsam:ldap://127.0.0.1/ # passdb backend = ldapsam:ldap://127.0.0.1/ ldap://slave.beefylinux.com; ldap://slave.beefylinux.com%22 # ldap filter = ((objectclass=sambaSamAccount)(uid=%u)) ldap admin dn = cn=Manager,dc=beefylinux,dc=com ldap suffix = dc=beefylinux,dc=com ldap group suffix = ou=Groups ldap user suffix = ou=Users ldap machine suffix = ou=Computers ldap idmap suffix = ou=Users #ldap ssl = start_tls add user script = /usr/local/sbin/smbldap-useradd =m %u ldap delete dn = Yes #delete user script = /opt/IDEALX/sbin/smbldap-userdel %u add machine script = /opt/IDEALX/sbin/smbldap-useradd -w %u add group script = /opt/IDEALX/sbin/smbldap-groupadd -p %g #delete group script = /opt/IDEALX/sbin/smbldap-groupdel %g add user to group script = /opt/IDEALX/sbin/smbldap-groupmod -m %u %g delete user from group script = /opt/IDEALX/sbin/smbldap-groupmod -x %u %g set primary group script = /opt/IDEALX/sbin/smbldap-usermod -g %g %u # printers configuration printer admin = @Print Operators load printers = Yes create mask = 0640 directory mask = 0750 nt acl support = No printing = cups printcap name = cups deadtime = 10 guest account = nobody map to guest = Bad User dont descend = /proc,/dev,/etc,/lib,/lost+found,/initrd show add printer wizard = yes ; to maintain capital letters in shortcuts in any of the profile folders: preserve case = yes short preserve case = yes case sensitive = no idmap uid = 16777216-33554431 idmap gid = 16777216-33554431 template shell = /bin/false winbind use default domain = no [homes] comment = repertoire de %U, %u read only = No create mask = 0644 directory mask = 0775 browseable = no [netlogon] path = /home/netlogon/ browseable = No read only = yes [profiles] path = /home/profiles read only = no create mask = 0600 directory mask = 0700 browseable = No guest ok = Yes profile acls = yes csc policy = disable # next line is a great way to secure the profiles force user = %U # next line allows administrator to access all profiles valid users = %U @Domain Admins [printers] comment = Network Printers printer admin = @Print Operators guest ok = yes printable = yes path = /home/spool/ browseable = No read only = Yes printable = Yes print command = /usr/bin/lpr -P%p -r %s lpq command = /usr/bin/lpq -P%p lprm command = /usr/bin/lprm -P%p %j [print$] path = /home/printers printer admin = @Print Operators guest ok = yes browseable = Yes read only = Yes valid users = @Printer Operators write list = @Print Operators create mask = 0664 directory mask = 0775 [public] comment = Repertoire public path = /home/public browseable = Yes guest ok = Yes read only = No directory mask = 0775 create mask = 0664 * /etc/LDAP.CONF * # @(#)$Id: ldap.conf,v 1.34 2004/09/16 23:32:02 lukeh Exp $ # # This is the configuration file for the LDAP nameservice # switch library and the LDAP PAM module. # # PADL Software # http://www.padl.com # host 127.0.0.1 http://127.0.0.1/ base dc=beefylinux,dc=com rootbinddn cn=manager,ou=DSA,dc=beefylinux,dc=com nss_base_passwd
Re: [Samba] SAMBA/PDC + LDAP HELP please?
On Tuesday 04 October 2005 15:49, Ryan Taylor wrote: Hi, I have been trying to work this out on my own now for about a week and feel like I am so close..haha. I have samba setup as a PDC and in theory authenticating users through openLDAP with the use of smbldap-tools by IDEALX. I have checked the windows registry fix, but still no luck. When I try to join the domain as root, I get the error: Username could not be found Any help would be greatly, greatly appreciated as I am at the end of my time to get this job done. I don't need encryption and don't mind if everything is plain text..(security not issue yet) I have included all configs i believe are important (minus the comments to make them shorter) please let me know if I can provide anything else! Ryan, I spent a lot of time writing a book that documents how to make Samba-3 do what users want it to do. The book is called Samba-3 by Example. It is available from Amazon.Com and has ISBN 013188221X. Alternatively, you can download the PDF from: http://www.samba.org/samba/docs/Samba3-ByExample.pdf Chapter 5 comprehensively documents Samba-3 plus OpenLDAP. If the information does not meet your needs please let me know so I can fix it. I dispise documentation that is inadequate or ineffective, so any help you can give me to make this book more useful and more helpful is most welcome. Cheers, John T. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] PDC + LDAP, cannot access LDAP when not root (SOLVED)
On Tue, 2005-09-27 at 16:34 -0400, David Clymer wrote: I'm using Debian Sarge, Samba (3.1.14a) with the ldapsam backend, and OpenLDAP (2.2.23). When attempting to join an Windows XP+SP2 computer (BILLGATES) to my domain (WORKGROUP), using the Administrator account, I am told by windows: 'Access denied.' The logs (attached) seem to indicate that the user Administrator is being authenticated (which would have? to use LDAP), but when It goes to add the computer to the domain, it fails. Apparently because samba is unable to access LDAP: smbldap_open: cannot access LDAP when not root.. nobody and Administrator are the only users on the domain. An interesting phenomenon that I've observed (perhaps it is related?): testbox:/etc/samba# pdbedit -L Administrator:998:Administrator nobody:65534:nobody testbox:/etc/samba# net -U Administrator rpc group members 'Domain Computers' Password: WORKGROUP\BILLGATES$ testbox:/etc/samba# net -U Administrator rpc group members 'Domain Admins' Password: WORKGROUP\Administrator testbox:/etc/samba# net -U Administrator rpc group members 'Administrators' Password: [2005/09/27 16:05:11, 0] rpc_client/cli_pipe.c:rpc_api_pipe(435) cli_pipe: return critical error. Error was Call timed out: server did not respond after 1 milliseconds Couldn't list alias members I don't understand why Administrators group listing fails, while the others don't. Google searches yielded a bunch of similar problems for early versions of samba 3.0, related to modification of user groups. However that bug was supposedly fixed, and I've seen no reports of it occuring in later versions. There are no open bugs, that I could find, related to this on bugzilla.samba.org. Is there any type of (mis)configuration that could result in the same sort of symptom? attached is my smb.conf, smbldap.conf, and my samba log output (debug level=4) I would be very grateful for any ideas, FMs to R, magic wands, etc. that anyone might have to offer. The FM to (re)R was the smb.conf man page ;o) The solution: add this to smb.conf: enable privileges = yes This allows you to grant special privileges to users (see man smb.conf for more detail) reload the samba config: $ smbcontrol smbd reload-config and grant the necessary rights to Administrator: $ net -U Administrator rpc rights list SeMachineAccountPrivilege Add machines to domain SePrintOperatorPrivilege Manage printers SeAddUsersPrivilege Add users and groups to the domain SeRemoteShutdownPrivilege Force shutdown from a remote system SeDiskOperatorPrivilege Manage disk shares $ net -U Administrator rpc rights list Administrator $ net -U Administrator rpc rights grant Administrator SeMachineAccountPrivilege Successfully granted rights. Now one can add machines to the domain. Better yet, the administrator account does _not_ have to have a uid of 0! -davidc -- Under-Achievers Anonymous has an 11-step program. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] [Samba PDC + LDAP] How to set user password never expires using smb-ldap tools
Hi Everybody, Target is to set Samba PDC server with ldap backend. Environment used : Samba 3.0.20 Samba ldap tools 0.9.1-1 I can add user but pasword gets expired frequently, So my question is how can i set Password Never Expires using samba-ldap tools. Thanx Arun Sharma -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] [Samba PDC + LDAP] How to set user password never expires using smb-ldap tools
Arun Sharma schrieb: Hi Everybody, Target is to set Samba PDC server with ldap backend. Environment used : Samba 3.0.20 Samba ldap tools 0.9.1-1 I can add user but pasword gets expired frequently, So my question is how can i set Password Never Expires using samba-ldap tools. Try using LAM - http://lam.sf.net - for managing your users, groups etc. There you can easily set the password expiry, logon hours etc. lots of useful features. -- Tomek http://wpkg.org -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Samba PDC, ldap or mysql????
Hi all, I'm under the gun to rid ourselves of the nt4 PDC which we currently use. options are A/D, samba, pgina. I really dig pgina, but dont think I can pass citrix credentials properly :( So I'm left with samba vs A/D. A/D is well,, um A/D, so tyring to avoid it. Currently have used Samba file servers for years. Have played with Samba PDC with2.2 Now, going to try Samba3 pdc. Have about 300 users. I'd really like to understand the advantages/disadvantages of ldap vs mysql for backend. Would like our other *windows admins* to be able to add users,machines,groups etc. easily. I think I'd like best to store in mysql, but want to know if there's any functionality I'll miss using mysql instead of ldap. seems ldap for backend has been around a while. I'd really like to hear from anyone using mysql for backend, or ldap thanks Mark -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Samba PDC, ldap or mysql????
Hi All, I'm really under the gun to rid ourselves of our existing nt4 pdc. I like the looks of pGina a lot, but have some issues with citrix:( So, I'm ready to migrate to a samba pdc. Trying to decide what's the best pdb to use. info: several samba servers in production for years, in the nt4domain ~300 users would like other admins to be able to add users,machines,etc. easily have played with ldap, not afraid of,have used for email address books. NO current production level ldap here. MySql running for several years. I think I would like to use MySql as the backend. Question:, is the mysql backend as well integrated as LDAP? adduser scripts etc. Would really like to hear peoples real-world experience with both. thanks Mark -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Samba PDC, ldap or mysql????
On Thursday 25 August 2005 10:48, Mark Nehemiah wrote: Hi all, I'm under the gun to rid ourselves of the nt4 PDC which we currently use. options are A/D, samba, pgina. I really dig pgina, but dont think I can pass citrix credentials properly :( So I'm left with samba vs A/D. A/D is well,, um A/D, so tyring to avoid it. Currently have used Samba file servers for years. Have played with Samba PDC with2.2 Now, going to try Samba3 pdc. Have about 300 users. I'd really like to understand the advantages/disadvantages of ldap vs mysql for backend. Would like our other *windows admins* to be able to add users,machines,groups etc. easily. I think I'd like best to store in mysql, but want to know if there's any functionality I'll miss using mysql instead of ldap. seems ldap for backend has been around a while. I'd really like to hear from anyone using mysql for backend, or ldap It your 300 users are all at one site, and you do not need BDCs, you could use the tdbsam for the passdb backend. I believe that LDAP is the preferred choice because it provides a lot more flexibility than the tdbsam backend. I would not use the mysql backend because it is considered experimental only and support for it from the Samba Team is very limited. The examples I used in my book Samba-3 by Example are all real-world networks. I have deployed Samba-3 and LDAP in several large sites. It works reliably. - John T. -- John H Terpstra Samba-Team Member Phone: +1 (650) 580-8668 Author: The Official Samba-3 HOWTO Reference Guide, 2 Ed., ISBN: 0131882228 Samba-3 by Example, 2 Ed., ISBN: 0131882221X Hardening Linux, ISBN: 0072254971 Other books in production. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Samba PDC, ldap or mysql????
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hi Mark, Mark Nehemiah wrote: I'd really like to understand the advantages/disadvantages of ldap vs mysql for backend. Would like our other *windows admins* to be able to add users,machines,groups etc. easily. I think I'd like best to store in mysql, but want to know if there's any functionality I'll miss using mysql instead of ldap. seems ldap for backend has been around a while. The MySQL backend is currently still experimental. It's broken in 3.0.14a and 3.0.20, but we're working on fixing it. It also doesn't have support for group mapping support (yet). If you have no specific reasons for going with MySQL (such as already having another user database in MySQL), I'd advice going with LDAP. Cheers, Jelmer -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.1 (GNU/Linux) iD8DBQFDDfl4Pa9Uoh7vUnYRAhzDAJ0cu99+Gd5imtaD/mQYmKDPTodJhgCfV/DC T04yucwBhFdYCY4wOixo3sM= =Wo5G -END PGP SIGNATURE- -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Samba PDC, ldap or mysql????
On Thu, August 25, 2005 12:10 pm, John H Terpstra said: On Thursday 25 August 2005 10:48, Mark Nehemiah wrote: Hi all, I'm under the gun to rid ourselves of the nt4 PDC which we currently use. options are A/D, samba, pgina. I really dig pgina, but dont think I can pass citrix credentials properly :( So I'm left with samba vs A/D. A/D is well,, um A/D, so tyring to avoid it. Currently have used Samba file servers for years. Have played with Samba PDC with2.2 Now, going to try Samba3 pdc. Have about 300 users. I'd really like to understand the advantages/disadvantages of ldap vs mysql for backend. Would like our other *windows admins* to be able to add users,machines,groups etc. easily. I think I'd like best to store in mysql, but want to know if there's any functionality I'll miss using mysql instead of ldap. seems ldap for backend has been around a while. I'd really like to hear from anyone using mysql for backend, or ldap It your 300 users are all at one site, and you do not need BDCs, you could use the tdbsam for the passdb backend. I believe that LDAP is the preferred choice because it provides a lot more flexibility than the tdbsam backend. I would not use the mysql backend because it is considered experimental only and support for it from the Samba Team is very limited. The examples I used in my book Samba-3 by Example are all real-world networks. I have deployed Samba-3 and LDAP in several large sites. It works reliably. - John T. -- John H Terpstra Samba-Team Member Phone: +1 (650) 580-8668 Author: The Official Samba-3 HOWTO Reference Guide, 2 Ed., ISBN: 0131882228 Samba-3 by Example, 2 Ed., ISBN: 0131882221X Hardening Linux, ISBN: 0072254971 Other books in production. Thanks for the quick reply John, all users at 1 site, other sites will use citrix servers here for access. Other than the obvious *LDAP* features of using ldap, can I get the same functionality out of using tdbsam?? sorry this Samba PDC stuff is really new to me. mostly concerned with *windows admins* being able to add users, machines, etc. ??time restrictions?? I really only need 1 pdc with some kind of failover. rsyncing tdbsam probably would work fine, I think:) Consider another copy of your book sold, I'll see if I can go pick a copy up today at lunch, if not it'll be on order. Have some older samba oreilly books:( thx again, Mark -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Samba PDC, ldap or mysql????
Mark Nehemiah schrieb: Hi all, I'm under the gun to rid ourselves of the nt4 PDC which we currently use. options are A/D, samba, pgina. I really dig pgina, but dont think I can pass citrix credentials properly :( So I'm left with samba vs A/D. A/D is well,, um A/D, so tyring to avoid it. Currently have used Samba file servers for years. Have played with Samba PDC with2.2 Now, going to try Samba3 pdc. Have about 300 users. I'd really like to understand the advantages/disadvantages of ldap vs mysql for backend. Would like our other *windows admins* to be able to add users,machines,groups etc. easily. LDAP would be a wiser choice. It's widely supported, well described, and there are many tools for that. For adding users, groups, machines, your Windows admins can use LAM - LDAP Account Manager - http://lam.sf.net - it's a nice web-based tool, where you can define pretty everything when it comes to users, groups etc. (logon hours, scripts etc.). -- Tomek http://wpkg.org Software deployment with Samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Samba(PDC)+LDAP+XPpro cannot join domain /w XP pro machine
I am runing into a similar problem. The difference is that when I enter the admin passwd to join my domain, a session failes to be opened... For you, I'd suggest that you check your password encryption type if it is set correctly... --- Steven Jacobs [EMAIL PROTECTED] a écrit : I receive an Access is Denied error after provide the Administrator username and password when trying to join my Samba domain. Has anyone run into this?? ---log.smbd- [2005/03/14 19:37:19, 2] lib/interface.c:add_interface(79) added interface ip=192.168.2.4 bcast=192.168.2.255 nmask=255.255.255.0 [2005/03/14 19:37:19, 2] lib/tallocmsg.c:register_msg_pool_usage(57) Registered MSG_REQ_POOL_USAGE [2005/03/14 19:37:19, 2] lib/dmallocmsg.c:register_dmalloc_msgs(71) Registered MSG_REQ_DMALLOC_MARK and LOG_CHANGED [2005/03/14 19:37:19, 2] smbd/server.c:open_sockets_smbd(324) waiting for a connection [2005/03/14 19:38:05, 2] lib/smbldap.c:smbldap_search_domain_info(1373) Searching for:[((objectClass=sambaDomain)(sambaDomainName=SRSCORP))] [2005/03/14 19:38:05, 2] lib/smbldap.c:smbldap_open_connection(692) smbldap_open_connection: connection opened [2005/03/14 19:38:05, 1] lib/smbldap.c:add_new_domain_info(1343) failed to add domain dn= sambaDomainName=SRSCORP,dc=srsmanagement,dc=com with: Already exists [2005/03/14 19:38:05, 0] lib/smbldap.c:smbldap_search_domain_info(1392) Adding domain info for SRSCORP failed with NT_STATUS_UNSUCCESSFUL [2005/03/14 19:38:05, 2] passdb/pdb_ldap.c:pdb_init_ldapsam(2959) pdb_init_ldapsam: WARNING: Could not get domain info, nor add one to the domain pdb_init_ldapsam: Continuing on regardless, will be unable to allocate new users/groups, and will risk BDCs having inconsistant SIDs [2005/03/14 19:38:06, 2] lib/smbldap.c:smbldap_search_domain_info(1373) Searching for:[((objectClass=sambaDomain)(sambaDomainName=SRSCORP))] [2005/03/14 19:38:06, 2] lib/smbldap.c:smbldap_open_connection(692) smbldap_open_connection: connection opened [2005/03/14 19:38:06, 2] lib/smbldap.c:smbldap_search_domain_info(1373) Searching for:[((objectClass=sambaDomain)(sambaDomainName=SRSCORP))] [2005/03/14 19:38:06, 2] lib/smbldap.c:smbldap_open_connection(692) smbldap_open_connection: connection opened [2005/03/14 19:38:06, 1] lib/smbldap.c:add_new_domain_info(1343) failed to add domain dn= sambaDomainName=SRSCORP,dc=srsmanagement,dc=com with: Already exists [2005/03/14 19:38:06, 0] lib/smbldap.c:smbldap_search_domain_info(1392) Adding domain info for SRSCORP failed with NT_STATUS_UNSUCCESSFUL [2005/03/14 19:38:06, 2] passdb/pdb_ldap.c:pdb_init_ldapsam(2959) pdb_init_ldapsam: WARNING: Could not get domain info, nor add one to the domain pdb_init_ldapsam: Continuing on regardless, will be unable to allocate new users/groups, and will risk BDCs having inconsistant SIDs [2005/03/14 19:38:06, 1] lib/smbldap.c:add_new_domain_info(1343) failed to add domain dn= sambaDomainName=SRSCORP,dc=srsmanagement,dc=com with: Already exists [2005/03/14 19:38:06, 0] lib/smbldap.c:smbldap_search_domain_info(1392) Adding domain info for SRSCORP failed with NT_STATUS_UNSUCCESSFUL [2005/03/14 19:38:06, 2] passdb/pdb_ldap.c:pdb_init_ldapsam(2959) pdb_init_ldapsam: WARNING: Could not get domain info, nor add one to the domain pdb_init_ldapsam: Continuing on regardless, will be unable to allocate new users/groups, and will risk BDCs having inconsistant SIDs -- ---smb.conf [global] workgroup = SRSCORP netbios name = mail1 enable privileges = yes interfaces = 192.168.2.4 username map = /etc/samba/smbusers server string = Samba Server %v security = user encrypt passwords = Yes min passwd length = 3 obey pam restrictions = No #unix password sync = Yes #passwd program = /usr/local/sbin/smbldap-passwd -u %u #passwd chat = Changing password for*\nNew password* %n\n *Retype new password* %n\n ldap passwd sync = Yes log level = 2 syslog = 0 log file = /var/log/samba/log.%m max log size = 10 time server = Yes socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 mangling method = hash2 Dos charset = 850 Unix charset = ISO8859-1 logon script = logon.bat logon drive = H: logon home = logon path = domain logons = Yes os level = 65 preferred master = Yes domain master = Yes wins support = Yes passdb backend = ldapsam:ldap://127.0.0.1/ # passdb backend = ldapsam:ldap://127.0.0.1/ ldap://slave.srsmanagement.com; # ldap filter =
[Samba] Samba(PDC)+LDAP+XPpro cannot join domain /w XP pro machine
I receive an Access is Denied error after provide the Administrator username and password when trying to join my Samba domain. Has anyone run into this?? ---log.smbd- [2005/03/14 19:37:19, 2] lib/interface.c:add_interface(79) added interface ip=192.168.2.4 bcast=192.168.2.255 nmask=255.255.255.0 [2005/03/14 19:37:19, 2] lib/tallocmsg.c:register_msg_pool_usage(57) Registered MSG_REQ_POOL_USAGE [2005/03/14 19:37:19, 2] lib/dmallocmsg.c:register_dmalloc_msgs(71) Registered MSG_REQ_DMALLOC_MARK and LOG_CHANGED [2005/03/14 19:37:19, 2] smbd/server.c:open_sockets_smbd(324) waiting for a connection [2005/03/14 19:38:05, 2] lib/smbldap.c:smbldap_search_domain_info(1373) Searching for:[((objectClass=sambaDomain)(sambaDomainName=SRSCORP))] [2005/03/14 19:38:05, 2] lib/smbldap.c:smbldap_open_connection(692) smbldap_open_connection: connection opened [2005/03/14 19:38:05, 1] lib/smbldap.c:add_new_domain_info(1343) failed to add domain dn= sambaDomainName=SRSCORP,dc=srsmanagement,dc=com with: Already exists [2005/03/14 19:38:05, 0] lib/smbldap.c:smbldap_search_domain_info(1392) Adding domain info for SRSCORP failed with NT_STATUS_UNSUCCESSFUL [2005/03/14 19:38:05, 2] passdb/pdb_ldap.c:pdb_init_ldapsam(2959) pdb_init_ldapsam: WARNING: Could not get domain info, nor add one to the domain pdb_init_ldapsam: Continuing on regardless, will be unable to allocate new users/groups, and will risk BDCs having inconsistant SIDs [2005/03/14 19:38:06, 2] lib/smbldap.c:smbldap_search_domain_info(1373) Searching for:[((objectClass=sambaDomain)(sambaDomainName=SRSCORP))] [2005/03/14 19:38:06, 2] lib/smbldap.c:smbldap_open_connection(692) smbldap_open_connection: connection opened [2005/03/14 19:38:06, 2] lib/smbldap.c:smbldap_search_domain_info(1373) Searching for:[((objectClass=sambaDomain)(sambaDomainName=SRSCORP))] [2005/03/14 19:38:06, 2] lib/smbldap.c:smbldap_open_connection(692) smbldap_open_connection: connection opened [2005/03/14 19:38:06, 1] lib/smbldap.c:add_new_domain_info(1343) failed to add domain dn= sambaDomainName=SRSCORP,dc=srsmanagement,dc=com with: Already exists [2005/03/14 19:38:06, 0] lib/smbldap.c:smbldap_search_domain_info(1392) Adding domain info for SRSCORP failed with NT_STATUS_UNSUCCESSFUL [2005/03/14 19:38:06, 2] passdb/pdb_ldap.c:pdb_init_ldapsam(2959) pdb_init_ldapsam: WARNING: Could not get domain info, nor add one to the domain pdb_init_ldapsam: Continuing on regardless, will be unable to allocate new users/groups, and will risk BDCs having inconsistant SIDs [2005/03/14 19:38:06, 1] lib/smbldap.c:add_new_domain_info(1343) failed to add domain dn= sambaDomainName=SRSCORP,dc=srsmanagement,dc=com with: Already exists [2005/03/14 19:38:06, 0] lib/smbldap.c:smbldap_search_domain_info(1392) Adding domain info for SRSCORP failed with NT_STATUS_UNSUCCESSFUL [2005/03/14 19:38:06, 2] passdb/pdb_ldap.c:pdb_init_ldapsam(2959) pdb_init_ldapsam: WARNING: Could not get domain info, nor add one to the domain pdb_init_ldapsam: Continuing on regardless, will be unable to allocate new users/groups, and will risk BDCs having inconsistant SIDs -- ---smb.conf [global] workgroup = SRSCORP netbios name = mail1 enable privileges = yes interfaces = 192.168.2.4 username map = /etc/samba/smbusers server string = Samba Server %v security = user encrypt passwords = Yes min passwd length = 3 obey pam restrictions = No #unix password sync = Yes #passwd program = /usr/local/sbin/smbldap-passwd -u %u #passwd chat = Changing password for*\nNew password* %n\n *Retype new password* %n\n ldap passwd sync = Yes log level = 2 syslog = 0 log file = /var/log/samba/log.%m max log size = 10 time server = Yes socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 mangling method = hash2 Dos charset = 850 Unix charset = ISO8859-1 logon script = logon.bat logon drive = H: logon home = logon path = domain logons = Yes os level = 65 preferred master = Yes domain master = Yes wins support = Yes passdb backend = ldapsam:ldap://127.0.0.1/ # passdb backend = ldapsam:ldap://127.0.0.1/ ldap://slave.srsmanagement.com; # ldap filter = ((objectclass=sambaSamAccount)(uid=%u)) ldap admin dn = cn=samba,ou=DSA,dc=srsmanagement,dc=com ldap suffix = dc=srsmanagement,dc=com ldap group suffix = ou=Groups ldap user suffix = ou=Users ldap machine suffix = ou=Computers ldap idmap suffix = ou=Users #ldap ssl = start tls ldap ssl = no add user script = /usr/local/sbin/smbldap-useradd -m %u ldap delete dn = Yes
[Samba] Re: Samba + PDC + LDAP (Sun One DS 5.2, Messaging and Identity)
Hafiz Abdul Rehman [EMAIL PROTECTED] wrote: I am planing to install Samba as PDC for Windows XP Machines and LDAP (Sun ONE DS 5.2 + Messaging + Identity ) as backend sam if some one have already setup this kind of environment and can write down the steps in which order i have to install and configure products what would be great I'd suggest thinking about the design a bit more - the basic question is: what is the purpose of Sun Messaging and Identity Servers ? The latter might be highly useful (at least judging from specs) when integrating with legacy MS Active Directory but I can't think of any use of the former ;-) The Directory Server is a very solid and feature rich Ldap implementation though. What you will need to tweak: - uploading the samba schema - configuring the TLS for secure communication with samba If you're going to deploy samba on Solaris I'd suggest compiling with openldap libraries. But do not switch the whole solaris ldap client side to it. The native tools are very mature and can be configured easily with DS in a secure way (because of proxyagent). Let us know if you have any specific problem. Cheers, -- Michal Kurowski [EMAIL PROTECTED] -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Samba PDC + LDAP without local Unix accounts?
Related to this topic, I haven't followed the developments in Samba/FreeBSD for 6 months or so. Does Samba 3.0.10/FreeBSD 5.3 work with LDAP/NSSwitch/Winbind. I know at one point the getgrent/getpwent stuff didn't work so you couldn't enumerate native windows groups. Has all this been fixed? I would like to begin building a new samba box but don't want to waste my time on this combination to find out it still doesn't work Thank you, Matt Pusateri On Wed, 19 Jan 2005 22:05:56 -0500, Adam Tauno Williams [EMAIL PROTECTED] wrote: We are trying to use Samba 3.0.10 running on FreeBSD 5.3 to replace a legacy NT4 PDC. Our goal is to use LDAP to centralize all user information and authentication on the network. To that end, we've set up Samba to use LDAP for authentication of all the Windows users. This is working, but Samba seems to require that all Windows account have a matching Unix account as well. YES This would be fine, except that all of the user profile directories and Samba shares are hosted on a separate machine, making the Unix accounts superfluous. (As far as I know.) If at all possible, we'd like to avoid having to maintain user accounts on both the LDAP server and the Samba PDC. I had entertained the idea of using an LDAP PAM module simulate the Unix accounts, but this is looking more and more like the wrong way to go about it as PAM seems tied strictly to authentication and Samba already handles that part. Your confusing PAM and NSS. So to summarize, I'd like to know if a Samba PDC can be authenticate users via an LDAP backand without having to contain local Unix accounts for those users as well. You need to have a 'Unix' account; but your using LDAP, so it doesn't need to be 'local'. I confess to not being a Windows or Samba guru, but I have read a lot of documentation and none of it has shed any light on this particular problem. If there's an easy and obvious way to do this, it has eluded me. NSS, you probably don't need PAM. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Samba PDC + LDAP without local Unix accounts?
Greetings, We are trying to use Samba 3.0.10 running on FreeBSD 5.3 to replace a legacy NT4 PDC. Our goal is to use LDAP to centralize all user information and authentication on the network. To that end, we've set up Samba to use LDAP for authentication of all the Windows users. This is working, but Samba seems to require that all Windows account have a matching Unix account as well. This would be fine, except that all of the user profile directories and Samba shares are hosted on a separate machine, making the Unix accounts superfluous. (As far as I know.) If at all possible, we'd like to avoid having to maintain user accounts on both the LDAP server and the Samba PDC. I had entertained the idea of using an LDAP PAM module simulate the Unix accounts, but this is looking more and more like the wrong way to go about it as PAM seems tied strictly to authentication and Samba already handles that part. So to summarize, I'd like to know if a Samba PDC can be authenticate users via an LDAP backand without having to contain local Unix accounts for those users as well. I confess to not being a Windows or Samba guru, but I have read a lot of documentation and none of it has shed any light on this particular problem. If there's an easy and obvious way to do this, it has eluded me. Thanks in advance for taking the time to respond. -- Charles Ulrich Ideal Solution, LLC - http://www.idealso.com -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Samba PDC + LDAP without local Unix accounts?
We are trying to use Samba 3.0.10 running on FreeBSD 5.3 to replace a legacy NT4 PDC. Our goal is to use LDAP to centralize all user information and authentication on the network. To that end, we've set up Samba to use LDAP for authentication of all the Windows users. This is working, but Samba seems to require that all Windows account have a matching Unix account as well. YES This would be fine, except that all of the user profile directories and Samba shares are hosted on a separate machine, making the Unix accounts superfluous. (As far as I know.) If at all possible, we'd like to avoid having to maintain user accounts on both the LDAP server and the Samba PDC. I had entertained the idea of using an LDAP PAM module simulate the Unix accounts, but this is looking more and more like the wrong way to go about it as PAM seems tied strictly to authentication and Samba already handles that part. Your confusing PAM and NSS. So to summarize, I'd like to know if a Samba PDC can be authenticate users via an LDAP backand without having to contain local Unix accounts for those users as well. You need to have a 'Unix' account; but your using LDAP, so it doesn't need to be 'local'. I confess to not being a Windows or Samba guru, but I have read a lot of documentation and none of it has shed any light on this particular problem. If there's an easy and obvious way to do this, it has eluded me. NSS, you probably don't need PAM. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] PDC + LDAP group mappings
Alright now that samba can talk to LDAP I have a blank slate. I know I need to setup group mappings, but I'm a little confused about this. Since it's an ldap backend do the groups need to have unix counterparts? Should I use the net groupmap command to add the mappings or should I use an LDIF file? David Sonenberg Systems / Network Administrator Stroz Friedberg, LLC 15 Maiden Lane, Suite 1208 New York, NY 10038 212.981.6527 (o) | 917.495.4918 (c) -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba