[Samba] Re: Samba PDC autolocking domain administrator account
Stefan Oberwahrenbrock oberwahrenbr...@transdata.net wrote in news:xns9c26809018cb9oberwahrenbrocktr...@80.91.229.13: Hello! It turned out, that after all there were differences in the setup of the test and production system - I just was not aware of them at first: The test system was built installing a plain default NT PDC. The default NT PDC installation does not make use of a lockout after bad login attempts policy at all - if you want to use such policy, you have to enable and configure it. The production system was configurered to use this policy with defaults (LogoutThreshold 5). During migration of both systems thesettings were also correctly migrated... Thus, with e. g. disabed account policy bad lockout attempt (pdbedit), the domain-administrator does not get locked any more. Nevertheless, Samba locking down the administrator is unexpected and unwanted - in my eyes. With NT the administrator account is not affected by the automatic locking mechanism. I think especially for users with migration background (NT 4.0 - Samba), it would be nice, to have the same behaviour with Samba PDC. In our case, the problem ist not, that the admins do not remember the password of the domain-admin. Instead, some users have the password for the local administrator on their local PC. If they logon as local administrator and try to connect to a share on some other machine, the Samba PDC obviously tries to authenticate the password(hash) of the local-admin-session against the domain-administrator account. With bad lockout attempt set to 5, the result is a lockeddown domain- administrator account (Password of local and domain administrator differ of course!). The only workaround I know, is do disable bad lockout attempt completely or to set it the a relativ high value (e. g. 15). With these settings, the local-admin-users users trying to connect to a share do get a new window where they can provide a correct login, after windows noticed, that the first automatical connect attempts did not work. Does anyone know, if the special handling of the domain-administrator- account is a topic for future releases of Samba? Is there someone else, who sees the problem like I do (Or am I still just to NT4.0-affected ;-)) Greetings, Stefan -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Re: Samba PDC (and Users/Machines) join Server 2003 Domain
On Jan 28, 2008 6:18 PM, Mike [EMAIL PROTECTED] wrote: I've been reading the Official How-To, Chap. 6, Joining an NT4-type Domain with Samba-3 because I want to join my current Samba3 PDC server and all its users (on Win XP Pro machines) to an MS Server 2003 domain. What I want to accomplish is --- Maintain the same Samba PDC and user account setup, and also make it possible for the Samba users to access data in a directory on Server 2003. I was going to move forward with an interdomain trust relationship, but the beginning of Ch. 19 in the TOSHARG suggests, Given that Samba-3 can function with a scalable backend authentication database such as LDAP, . . . the administrator would be well-advised to consider alternatives to the use of interdomain trusts simply because, by the very nature of how trusts function, this system is fragile. A question before I begin with LDAP and kerberos -- If I make my Samba3 server act as a domain member on the MS 2003 server domain, can I continue to have all WinXP Pro clients login and authenticate to Samba3, or do I need to make them join, login, and authenticate to the MS 2003 server, and then give them access to Samba3 server after joining it (Samba3 box) to the MS 2003 domain? Thanks for your time and patience. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Re: Samba PDC Ldap integration
Thanks guys I fixed the problem, it was not actually a software problem. The switch the server was on was stuffed, It kept dropping out. Thanks for all your help On Jan 3, 2008 3:01 PM, Andy [EMAIL PROTECTED] wrote: Hello all I have set up a Debian etch server with a samba and ldap integration. domain master = yes domain logons = yes os level = 33 preferred master = yes local master = yes passdb backend = ldapsam:ldap://localhost/ ldap admin dn = cn=admin,dc=test,dc=net ldap suffix =dc=test,dc=net ldap user suffix = ou=users ldap machine suffix = ou=machines ldap group suffix = ou=groups ldap password sync = yes I have added the machine into LDAP as a samba 3 machine. I have added a user to the domain admins group. When I try to connect a PC to the domain a error message pops up saying the following error occurred attempting to join the domain test: The specific network name is no longer available Would some know the cause of this? -- REGARDS, Andy Z -- REGARDS, Andy Z -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Re: Samba PDC issue
On 11/16/2007, Tarak Ranjan ([EMAIL PROTECTED]) wrote: Hi, As my user's profile store in /home/user/profile if i use logon home = \\%L\home\%U\profile that will fine or not As I learned recently, this is not advised. User profiles should always be stored in an entirely separate share, ie: homes in: \server\home\user and profiles in: \server\profiles$\user I use the $ at the end of the profiles share to hide it... -- Best regards, Charles -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Re: Samba PDC issue
Charles Marcus wrote: On 11/16/2007, Tarak Ranjan ([EMAIL PROTECTED]) wrote: Hi, As my user's profile store in /home/user/profile if i use logon home = \\%L\home\%U\profile that will fine or not As I learned recently, this is not advised. User profiles should always be stored in an entirely separate share, ie: homes in: \server\home\user and profiles in: \server\profiles$\user I use the $ at the end of the profiles share to hide it... If i want to upgrade from 2.2 to 3.0.26a, and if i have to stores the user's profile into separate location as you mentioned ... so what are the things have to do, -- Thanks Warm Regards, _ Tarak Ranjan Mukherjee E@: [EMAIL PROTECTED] IM: [EMAIL PROTECTED] Online Learning|Certifications|Learning Solutions : www.liqwidkrystal.com -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Re: samba PDC and lan printer
satish patel wrote: I have configured samba with print services and my printer is LAN printer Ethernet jack and my PDC on another subnet so is it possible share printer from other subnet ?? What sort of issues with that configuration are you anticipating? MS Domain Browsing issues maybe? I use CUPS with all Samba implementations I have done. CUPS just needs to know the hostname of the printer to send the print jobs to. Once CUPS is configured properly, it is a simple task to get Samba to share the print queue. I make a few pointers in my presentation: Samba 3 PDC for Windows Clients and Samba 3 Book Review http://www.lueckdatasystems.com/pub/presentations/iccm2007.pdf Sincerely, -- Michael Lueck Lueck Data Systems http://www.lueckdatasystems.com/ -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Re: samba pdc/bdc and trust relationship
On 8/2/07, Mohammad Zohny [EMAIL PROTECTED] wrote: kindly try to help me in this problem, I need the solution urgently! On 7/31/07, Mohammad Zohny [EMAIL PROTECTED] wrote: Hi all, My environment consists of 2 locations. the first has a windows NT4 PDC (for domain EGVLE) and another SLES10 PDC server (for VLE domain).with a bi-directional trust relationship between them. the second location will have SLES10 server that will work as a BDC for the samba VLE domain. I want to know how the bdc server will take the trust relationship from the PDC server? and what is the optimum solution to do that? Domain trusts are explained in the Samba HOWTO Collection (http://samba.org/samba/docs/man/Samba-HOWTO-Collection/) and may also be covered in Samba By Example (http://samba.org/samba/docs/man/Samba-Guide/). Do you have specific questions not addressed in the docs? Josh Kelley -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Re: Samba PDC, OpenLDAP: net groupmap list and Login doesnt work
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hello together, i found the (my) bug :-). net groupmap list didnt work in version 3.0.23 because samba changed something: http://samba.org/samba/docs/man/Samba-HOWTO-Collection/ChangeNotes.html#id314632 Futhermore i cant login with a testuser because i had a typo in my smb.conf: http://209.85.135.104/search?q=cache:oyrXRA7BVmAJ:www.silug.org/lists/silug-discuss/200704/msg6.html+init_services_keys:+key+lookup+failedhl=dect=clnkcd=13gl=de Thanks for your help. Now everything is working fine. Bye, Jens Jens Schmidt wrote on 09.05.2007: Hello List, after i installed Samba and the OpenLDAP, i configured this Team with some Howtos in the internet. So, now i populated the data into the LDAP with $ smbldap-populate -u 1550 -g 1500 which worked well. Now i can see groups and users and machines in the LDAP Database. Then i added a new Testuser with smbldap-useradd -m -a jens (which i can see in the database, too). But if i want to connect over ssh or to the Samba i get a error messages permission denied. Then i want to try to list the groupmaps and get the following error: [EMAIL PROTECTED] ~# net groupmap list [2007/05/09 14:41:44, 0] passdb/pdb_ldap.c:ldapsam_setsamgrent(3051) ldapsam_setsamgrent: LDAP search failed: No such object [2007/05/09 14:41:44, 0] passdb/pdb_ldap.c:ldapsam_enum_group_mapping(3123) ldapsam_enum_group_mapping: Unable to open passdb [EMAIL PROTECTED] ~# Can Anyone help me, with that Problem? I think, if i can solve this error message, i get closer to the permission denied problem :-) . Thanks in advance. Jens -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.6 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iQIVAwUBRkMb8InNy9K3Yw0FAQIAgQ//QH9YoxEN6SRJnoxaw+h7stOCW8piJ5NJ oat7V71mtSRCkC2v+BS6tB6x35nHFev/+Hxv5OwZVYR6s/tWK16uvqehrWGi9+qT rGLChx6C8IAVJD06rwhOmtKvtOsKnE/ZBZ/kEUGkcJpnOrr8GswuR8C5Lr0G9xqq 8Vy31t+fUtG/izoPdTNiviBWG2PEXCLc9l2ma1TaEmM2KfiA2XKNl780e3XAv2X7 Z+unez85liaXIsEMuJY+OY2bAQ8JlsVw02zmX8TWDn72HVCYKdSpX0CoJTlBnN4a 1Rs+bCeIh7Y6E1xSCQXrwUE/ugGacRI7CmIiNaTW3/eeCOUCh4fcjs4fJjH9KQUv BHxgJWCSBnIlrZdHgc9Wnzp7W29uCNexRDOlkudly3IiO+Jesx1LiwE2Oh9vqk1h 5pOP7/kl5yblww5gi3CapJI94uEvOOi75+DsxhoTsqTAj9+moQ8nQJyhN/icUGSZ m24voPLUNFraT/quRpLOEg0RsXJ4ujXs8kE8M/Xkqnz32bbN0PhHD5Yu7sWbbHcG +Cg51iDC3NAO16fV4a00covhiHsxqyEv89dKJ6DpjHM7Wbf1IvcF9Gu+KtSg1FfA dXjwPhTk7YR6JTfVPPihExsxNdEGOfEEV1gHkAWtLLjyollztFcgwwczsVmuntPy e5OjnlMMD2g= =SIbu -END PGP SIGNATURE- -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Re: Samba PDC roaming profiles problem
On Friday 19 January 2007 23:49, Daniel O'Connor wrote: Windows cannot copy the file \\midget\profiles\darius\Application Data\Ventrilo to location C:\Documents and Settings\darius\Application Data\Ventrilo. Possible causes include network problems or insufficient security rights. If this problem persists, contact your network administrator. DETAIL - Configuration information could not be read from the domain controller, either because the machine is unavailable, or access has been denied. I just got this one again and had another look through the log file and found this. [2007/01/21 21:42:31, 0] lib/util_sock.c:read_data(534) read_data: read failure for 4 bytes to client 10.0.2.88. Error = Operation timed out A quick search shows it happens a number of times and always for 4 bytes. I am guessing this corresponds with the failures to log in and out.. Now to work out what the cause is :) -- Daniel O'Connor software and network engineer for Genesis Software - http://www.gsoft.com.au The nice thing about standards is that there are so many of them to choose from. -- Andrew Tanenbaum GPG Fingerprint - 5596 B766 97C0 0E94 4347 295E E593 DC20 7B3F CE8C pgpHz0JF4g64h.pgp Description: PGP signature -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Re: samba pdc and notebook in domain
yes, on others windows domain with windows pdc, it works, but with my samba, even if i've logged before to this machine, when my pdc is down, i'm not able to log in On Wed, 09 Aug 2006 23:19:38 +0200, Logan Shaw [EMAIL PROTECTED] wrote: On Wed, 9 Aug 2006, bob_bipbip wrote: hello, when my computer's client is not connected to network (and so cannot connect to pdc), they are not able to log in, they have a message telling us that the system can't log in because the domain is unavailable, how to permit people to log in even if they are not connected to network? By default, Windows supports up to 10 (I think) cached logons. That means if you user abc logs on while the domain controller IS available, then they can log on later when the domain controller is NOT available, assuming there haven't been 10 people who have logged on since then. So, with a little planning (always be sure to logon before you disconnect, so that your identity is in the cache), you can use only the network user accounts without having to create separate local accounts. That makes things a lot cleaner and simpler, I think. - Logan -- Using Opera's revolutionary e-mail client: http://www.opera.com/mail/ -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Re: samba pdc and notebook in domain
never mind, my test were not good: i've logged into a client pc's just afeter stopping down samba services on the pdc. afeter a reboot of the client, logging without pdc just work ... -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Re: samba pdc ldap without roaming profiles
to disable roaming profile for everybody, i'd use this un smb.conf: logon drive = logon home = yes, it's blank ;) -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Re: samba pdc ldap without roaming profiles
Theres a difference between whats in the smb.conf and whats stored with the user entries in the ldap backend. Thanks anyway. bob_bipbip schrieb: to disable roaming profile for everybody, i'd use this un smb.conf: logon drive = logon home = yes, it's blank ;) -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Re: samba pdc and samba domain member server
On Thu, 03 Aug 2006 19:29:39 +0200 éric le hénaff [EMAIL PROTECTED] wrote: Sure, it's very possible. What kind of problem you have? The problem is # wbinfo -u Error looking up domain users The PDC is debian sarge with samba 3.0.22 , openldap 2.2.23, smbldap-tools 0.8.7 The domain member is debian sarge with samba 3.0.2a i may clean all tdbs ? tesparm gives : Load smb config files from /etc/samba/smb.conf Processing section [echanges] Processing section [devechanges] Loaded services file OK. 'winbind separator = +' might cause problems with group membership. Server role: ROLE_DOMAIN_MEMBER Press enter to see a dump of your service definitions # Global parameters [global] workgroup = DOM_ server string = Serveur %h (Samba %v) security = DOMAIN passwd program = /usr/bin/passwd %u passwd chat = *Enter\snew\sUNIX\spassword:* %n\n *Retype\snew\sUNIX\spassword:* %n\n . log level = 2 syslog = 0 log file = /var/log/samba/log.%m max log size = 1000 socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 dns proxy = No panic action = /usr/share/samba/panic-action %d idmap uid = 1-2 idmap gid = 1-2 winbind separator = + invalid users = root oplocks = No level2 oplocks = No [echanges] path = /share/echanges read only = No create mask = 0770 force create mode = 0770 directory mask = 0770 force directory mode = 0770 browseable = No Miguel Da Silva - Servicio de Informática a écrit : On Thu, 03 Aug 2006 18:54:57 +0200 éric le hénaff [EMAIL PROTECTED] wrote: hello is it possible to have a samba pdc and a samba domain member connected to that samba pdc ? i installed a samba pdc. it replaced an NT4 pdc. there is a samba domain member with winbind which worked fine with the NT4 pdc. but it doesnt work anymore. elh -- Éric LE HÉNAFF École normale supérieure - Centre de ressources informatiques Informaticien, Ingénieur développements et systèmes auprès des bibliothèques de l'ENS Sure, it's very possible. What kind of problem you have? Greetings. Are you using winbind separator = +?. If it's true, it could be the problem. And what about the logs of smbd and nmbd? -- Miguel Da Silva. Servicio de Informatica. Facultad de Ciencias. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Re: samba pdc and samba domain member server
Sure, it's very possible. What kind of problem you have? The problem is # wbinfo -u Error looking up domain users The PDC is debian sarge with samba 3.0.22 , openldap 2.2.23, smbldap-tools 0.8.7 The domain member is debian sarge with samba 3.0.2a i may clean all tdbs ? tesparm gives : Load smb config files from /etc/samba/smb.conf Processing section [echanges] Processing section [devechanges] Loaded services file OK. 'winbind separator = +' might cause problems with group membership. Server role: ROLE_DOMAIN_MEMBER Press enter to see a dump of your service definitions # Global parameters [global] workgroup = DOM_ server string = Serveur %h (Samba %v) security = DOMAIN passwd program = /usr/bin/passwd %u passwd chat = *Enter\snew\sUNIX\spassword:* %n\n *Retype\snew\sUNIX\spassword:* %n\n . log level = 2 syslog = 0 log file = /var/log/samba/log.%m max log size = 1000 socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 dns proxy = No panic action = /usr/share/samba/panic-action %d idmap uid = 1-2 idmap gid = 1-2 winbind separator = + invalid users = root oplocks = No level2 oplocks = No [echanges] path = /share/echanges read only = No create mask = 0770 force create mode = 0770 directory mask = 0770 force directory mode = 0770 browseable = No Miguel Da Silva - Servicio de Informática a écrit : On Thu, 03 Aug 2006 18:54:57 +0200 éric le hénaff [EMAIL PROTECTED] wrote: hello is it possible to have a samba pdc and a samba domain member connected to that samba pdc ? i installed a samba pdc. it replaced an NT4 pdc. there is a samba domain member with winbind which worked fine with the NT4 pdc. but it doesnt work anymore. elh -- Éric LE HÉNAFF École normale supérieure - Centre de ressources informatiques Informaticien, Ingénieur développements et systèmes auprès des bibliothèques de l'ENS Sure, it's very possible. What kind of problem you have? Greetings. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Re: samba pdc and samba domain member server
I have this strange line at the end of the log.winbindd after restart : [2006/08/03 19:33:31, 0] rpc_parse/parse_prs.c:prs_mem_get(530) prs_mem_get: reading data of size 14549202 would overrun buffer. Miguel Da Silva - Servicio de Informática a écrit : On Thu, 03 Aug 2006 18:54:57 +0200 éric le hénaff [EMAIL PROTECTED] wrote: hello is it possible to have a samba pdc and a samba domain member connected to that samba pdc ? i installed a samba pdc. it replaced an NT4 pdc. there is a samba domain member with winbind which worked fine with the NT4 pdc. but it doesnt work anymore. elh -- Éric LE HÉNAFF École normale supérieure - Centre de ressources informatiques Informaticien, Ingénieur développements et systèmes auprès des bibliothèques de l'ENS Sure, it's very possible. What kind of problem you have? Greetings. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Re: Samba PDC + OpenLDAP replica
Jukka Hienola wrote: Nov 4 17:37:39 slave smbd[18093]: fetch_ldap_pw: neither ldap secret retrieved! Nov 4 17:37:39 slave smbd[18093]: [2005/11/04 17:37:39, 0] lib/smbldap.c:smbldap_connect_system(813) Nov 4 17:37:39 slave smbd[18093]: ldap_connect_system: Failed to retrieve password from secrets.tdb so I assume that Samba can now bind to LDAP directory, but fails when trying to get user's data. I don't know why Samba is trying to retrieve data from secrets.tdb, because in smb.conf I have set passdb backend = ldapsam:ldap://slave.ldap.server ldap://master.ldap.server; For ldap binds, samba needs the password for the DN you have in your ldap admin dn directive. The password should have been set with smbpasswd -w. hth Paul -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
RE: wiki.samba.org ? [was Re: [Samba] Re: SAMBA/PDC + LDAP HELP please?= For your profiles.]
Ok, ill see if i can setup a wiki which i will maintain, i'v got the servers etc, but i'm not so in to buildin a web site, i'll notify the samba list when ready. I use only debian for my servers and setup, i have lots of experience with login scrips etc. atm on windows and novell platforms, i have running debian with samba, ldap, cups, acl,etc3, pnp print setup (raw printing), fax is in progress, kix login script, use of usrmgr, and ldapadmin. Im trying to integrate postfix and exchange 4linux into it, and also i'mlokking at the hula project. When ready i'll put a howto for this on my wiki. Greetz louis -Original Message- From: Gerald (Jerry) Carter[EMAIL PROTECTED] Sent: 07-10-05 18:15:01 To: Craig White[EMAIL PROTECTED] Cc: samba@lists.samba.orgsamba@lists.samba.org Subject: wiki.samba.org ? [was Re: [Samba] Re: SAMBA/PDC + LDAP HELP please?= For your profiles.] -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Craig White wrote: I wonder if having some sort of wiki on samba web site wouldn't be useful for things like logon scripts and registry settings to be shared/discussed so they had their own longevity and current appropriateness as email archives don't often reflect the changing nature of things and sometimes the samba documentation has different objectives. We've talked about it before but there is a fear that a wiki would turn into a propogation mechanism for Samba urban legends. Someone (or a team of people) would need act as editors. Truthfully, if it were done right, it would be probably be a good thing. But if it weren't it would be a really bad thing. It's definitley too much for the developers to take on. cheers, jerry = Alleviating the pain of Windows(tm) --- http://www.samba.org GnuPG Key- http://www.plainjoe.org/gpg_public.asc There's an anonymous coward in all of us. --anonymous -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.0 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD8DBQFDRp8FIR7qMdg1EfYRApmYAJ9CrvBqWk/ZMHgAmfLGAoBm6jlrIACfcMxD VUqUozi8hudDVzpivApFjyM= =EQBj -END PGP SIGNATURE- -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
RE: [Samba] Re: SAMBA/PDC + LDAP HELP please? = For your profiles.
Hi, For the profile problems. This is my working config. in the smb.conf (global setting ) ## MISC PROFILE logon script = logon.cmd logon home = \\%L\%U logon path = \\%L\profiles\%U logon drive = P: and [profiles] path = /home/samba/profiles comment = Profiel omgeving read only = no create mask = 0600 directory mask = 0700 ## browseable = yes can be no also, but i need it to be browsable. ## if you want it browsable but not shown, add a $ behind [profiles$] ## and same in the logon path above. browseable = Yes guest ok = Yes csc policy = disable # next line is a great way to secure the profiles force user = %U # next line allows administrator to access all profiles valid users = %U @Domain Admins when this is done. add 2 registry keys. /cut_here REGEDIT4 ; do not roam the following folders [HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Winlogon] ExcludeProfileDirs=Temporary Internet Files;History;Temp ;- ; force Windows XP Professional clients to accept Samba as a PDC [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters] requiresignorseal=dword: signsecurechannel=dword: ;- ; Do not check for user ownership of Roaming Profile Folders [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System] CompatibleRUPSecurity=dword:0001 /cut_here this wil work, and many thanks for who help me out some time ago ;-) Louis -Oorspronkelijk bericht- Van: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Namens Ryan Taylor Verzonden: donderdag 6 oktober 2005 17:56 Aan: samba@lists.samba.org Onderwerp: [Samba] Re: SAMBA/PDC + LDAP HELP please? Ok, I figured it out!! Thank you for the help and for others the change was in /etc/ldap.conf and I had: rootbinddn = cn=root,ou=???,dc=beefylinux,dc=com i removed the ou=group after root and changed rootbinddn to just binddn and that did it.. Everything works great except for the profiles which the windows machine doesn't seem to know about %L variable. I imagine this is because I am on Samba 3.0.10 not 3.0.20a so maybe its a new variable... Anyway, just wanted to say Thank you to everyone for the help. The microsoft rep. assigned to out company is not going to be happy next week when time to renew!! ha, i love it. --Ryan Taylor [EMAIL PROTECTED] Micro Consultants -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
RE: [Samba] Re: SAMBA/PDC + LDAP HELP please? = For your profiles.
On Fri, 2005-10-07 at 08:54 +0200, Louis van Belle wrote: when this is done. add 2 registry keys. /cut_here REGEDIT4 ; do not roam the following folders [HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Winlogon] ExcludeProfileDirs=Temporary Internet Files;History;Temp ;- ; force Windows XP Professional clients to accept Samba as a PDC [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters] requiresignorseal=dword: signsecurechannel=dword: ;- ; Do not check for user ownership of Roaming Profile Folders [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System] CompatibleRUPSecurity=dword:0001 /cut_here - I hate to see people encouraged to apply unnecessary fixes that were suggested to work around issues that were created as temporary solutions to the moving target of Windows. requiresignorseal / signsecurechannel issues have long since been fixed in Samba - no need for those registry changes - this was a Samba 2.x issue. I am pretty certain that the 'CompatibleRUPSecurity' registry patch isn't needed any longer as well, I think that was an issue created from original release of WinXP SP1 The 'ExcludeProfileDirs' - those folders should have been excluded automatically. Craig -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
RE: [Samba] Re: SAMBA/PDC + LDAP HELP please? = For your profiles.
realy, thank you for notifing me.. but why is this then in the manual http://us2.samba.org/samba/docs/man/Samba-HOWTO-Collection/ProfileMgmt.html Windows XP Service Pack 1 There is a security check new to Windows XP (or maybe only Windows XP service pack 1). It can be disabled via a group policy in the Active Directory. The policy is called: Computer Configuration\Administrative Templates\System\User Profiles\ Do not check for user ownership of Roaming Profile Folders ( is same as CompatibleRUPSecurity=dword:0001 ) And yes this is also in SP2. I used this to avoid problems, and it works for me. As i see in the sambalist lots of people have the same problems and questions so therefor i give them my working config, And this is what i did. that of the requiresignorseal / signsecurechannel i didnt know, so im going to test this in my 2e office location. thank you voor notifing me for that. the ExcludeProfileDirs is used in my default user profile. and this are the default directories : Geschiedenis, Local Settings, Temp en Temporary Internet Files default there is also Local Settings.. and i want these to move also in to the profile dir on the server, there are files in i need when users move to an other pc. for example. %USERPROFILE%\Local Settings\Application Data\Microsoft\Outlook ( extend.dat ) Stores a reference to which extensions (addins) you have loaded. %USERPROFILE%\Local Settings\Application Data\Microsoft\Credentials Contains setting of my users, so i excluded this out of the excludeprofiledir just some comment.. Louis -Oorspronkelijk bericht- Van: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Namens Craig White Verzonden: vrijdag 7 oktober 2005 14:39 Aan: samba@lists.samba.org Onderwerp: RE: [Samba] Re: SAMBA/PDC + LDAP HELP please? = For your profiles. On Fri, 2005-10-07 at 08:54 +0200, Louis van Belle wrote: when this is done. add 2 registry keys. /cut_here REGEDIT4 ; do not roam the following folders [HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Winlogon] ExcludeProfileDirs=Temporary Internet Files;History;Temp ;-- --- ; force Windows XP Professional clients to accept Samba as a PDC [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\ Parameters] requiresignorseal=dword: signsecurechannel=dword: ;-- --- ; Do not check for user ownership of Roaming Profile Folders [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System] CompatibleRUPSecurity=dword:0001 /cut_here - I hate to see people encouraged to apply unnecessary fixes that were suggested to work around issues that were created as temporary solutions to the moving target of Windows. requiresignorseal / signsecurechannel issues have long since been fixed in Samba - no need for those registry changes - this was a Samba 2.x issue. I am pretty certain that the 'CompatibleRUPSecurity' registry patch isn't needed any longer as well, I think that was an issue created from original release of WinXP SP1 The 'ExcludeProfileDirs' - those folders should have been excluded automatically. Craig -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
RE: [Samba] Re: SAMBA/PDC + LDAP HELP please? = For your profiles.
On Fri, 2005-10-07 at 15:51 +0200, Louis van Belle wrote: realy, thank you for notifing me.. but why is this then in the manual http://us2.samba.org/samba/docs/man/Samba-HOWTO-Collection/ProfileMgmt.html Windows XP Service Pack 1 There is a security check new to Windows XP (or maybe only Windows XP service pack 1). It can be disabled via a group policy in the Active Directory. The policy is called: Computer Configuration\Administrative Templates\System\User Profiles\ Do not check for user ownership of Roaming Profile Folders ( is same as CompatibleRUPSecurity=dword:0001 ) And yes this is also in SP2. I used this to avoid problems, and it works for me. As i see in the sambalist lots of people have the same problems and questions so therefor i give them my working config, And this is what i did. that of the requiresignorseal / signsecurechannel i didnt know, so im going to test this in my 2e office location. thank you voor notifing me for that. the ExcludeProfileDirs is used in my default user profile. and this are the default directories : Geschiedenis, Local Settings, Temp en Temporary Internet Files default there is also Local Settings.. and i want these to move also in to the profile dir on the server, there are files in i need when users move to an other pc. for example. %USERPROFILE%\Local Settings\Application Data\Microsoft\Outlook ( extend.dat ) Stores a reference to which extensions (addins) you have loaded. %USERPROFILE%\Local Settings\Application Data\Microsoft\Credentials Contains setting of my users, so i excluded this out of the excludeprofiledir just some comment.. - good points - perhaps John Terpstra might want to comment on the 'CompatibleRUPSecurity' registry setting and continuity of this setting. I haven't bothered with it and haven't had any issues. I wonder if having some sort of wiki on samba web site wouldn't be useful for things like logon scripts and registry settings to be shared/discussed so they had their own longevity and current appropriateness as email archives don't often reflect the changing nature of things and sometimes the samba documentation has different objectives. Craig -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
wiki.samba.org ? [was Re: [Samba] Re: SAMBA/PDC + LDAP HELP please? = For your profiles.]
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Craig White wrote: I wonder if having some sort of wiki on samba web site wouldn't be useful for things like logon scripts and registry settings to be shared/discussed so they had their own longevity and current appropriateness as email archives don't often reflect the changing nature of things and sometimes the samba documentation has different objectives. We've talked about it before but there is a fear that a wiki would turn into a propogation mechanism for Samba urban legends. Someone (or a team of people) would need act as editors. Truthfully, if it were done right, it would be probably be a good thing. But if it weren't it would be a really bad thing. It's definitley too much for the developers to take on. cheers, jerry = Alleviating the pain of Windows(tm) --- http://www.samba.org GnuPG Key- http://www.plainjoe.org/gpg_public.asc There's an anonymous coward in all of us. --anonymous -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.0 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD8DBQFDRp8FIR7qMdg1EfYRApmYAJ9CrvBqWk/ZMHgAmfLGAoBm6jlrIACfcMxD VUqUozi8hudDVzpivApFjyM= =EQBj -END PGP SIGNATURE- -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Re: SAMBA/PDC + LDAP HELP please? = For your profiles.
On Friday 07 October 2005 07:51, Louis van Belle wrote: realy, thank you for notifing me.. but why is this then in the manual http://us2.samba.org/samba/docs/man/Samba-HOWTO-Collection/ProfileMgmt.html Windows XP Service Pack 1 There is a security check new to Windows XP (or maybe only Windows XP service pack 1). It can be disabled via a group policy in the Active Directory. The policy is called: Computer Configuration\Administrative Templates\System\User Profiles\ Do not check for user ownership of Roaming Profile Folders ( is same as CompatibleRUPSecurity=dword:0001 ) And yes this is also in SP2. This was user contributed documentation. The HOWTO document is a broad collection of tips, explanations, hints, and detailed explanations of the inner workings of Samba. I have re-read the chapter and believe the information is still useful, though it could do with some updating. Please take note though, the HOWTO is NOT a deployment guide. Is anyone volunteering to review and revise this chapter? I do not have time right now. Detailed example configurations for Samba, support software and Windows clients is provided in the book Samba-3 by Example ISBN 013188221X, available from Amazon.Com and in PDF from: http://www.samba.org/samba/docs/Samba3-ByExample.pdf Samba3 by Example is a prescriptive guidance document that provides detailed, step-by-step, deployment information for complete networking solutions. The book, The Official Samba-3 HOWTO and Reference Guide is NOT a deployment guide, but it provides detailed documentation of the various capabilities and components of Samba - without showing detailed deployment steps. Cheers, John T. I used this to avoid problems, and it works for me. As i see in the sambalist lots of people have the same problems and questions so therefor i give them my working config, And this is what i did. that of the requiresignorseal / signsecurechannel i didnt know, so im going to test this in my 2e office location. thank you voor notifing me for that. the ExcludeProfileDirs is used in my default user profile. and this are the default directories : Geschiedenis, Local Settings, Temp en Temporary Internet Files default there is also Local Settings.. and i want these to move also in to the profile dir on the server, there are files in i need when users move to an other pc. for example. %USERPROFILE%\Local Settings\Application Data\Microsoft\Outlook ( extend.dat ) Stores a reference to which extensions (addins) you have loaded. %USERPROFILE%\Local Settings\Application Data\Microsoft\Credentials Contains setting of my users, so i excluded this out of the excludeprofiledir just some comment.. Louis -Oorspronkelijk bericht- Van: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Namens Craig White Verzonden: vrijdag 7 oktober 2005 14:39 Aan: samba@lists.samba.org Onderwerp: RE: [Samba] Re: SAMBA/PDC + LDAP HELP please? = For your profiles. On Fri, 2005-10-07 at 08:54 +0200, Louis van Belle wrote: when this is done. add 2 registry keys. /cut_here REGEDIT4 ; do not roam the following folders [HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Winlogon] ExcludeProfileDirs=Temporary Internet Files;History;Temp ;-- --- ; force Windows XP Professional clients to accept Samba as a PDC [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\ Parameters] requiresignorseal=dword: signsecurechannel=dword: ;-- --- ; Do not check for user ownership of Roaming Profile Folders [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System] CompatibleRUPSecurity=dword:0001 /cut_here - I hate to see people encouraged to apply unnecessary fixes that were suggested to work around issues that were created as temporary solutions to the moving target of Windows. requiresignorseal / signsecurechannel issues have long since been fixed in Samba - no need for those registry changes - this was a Samba 2.x issue. I am pretty certain that the 'CompatibleRUPSecurity' registry patch isn't needed any longer as well, I think that was an issue created from original release of WinXP SP1 The 'ExcludeProfileDirs' - those folders should have been excluded automatically. Craig -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba -- John H Terpstra Samba-Team Member Phone: +1 (650) 580-8668 Author: The Official Samba-3 HOWTO Reference Guide, 2 Ed., ISBN: 0131882228 Samba-3 by Example, 2 Ed., ISBN: 0131882221X Hardening Linux, ISBN: 0072254971 Other books in production
Re: wiki.samba.org ? [was Re: [Samba] Re: SAMBA/PDC + LDAP HELP please? = For your profiles.]
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Tomasz Chmielewski wrote: Gerald (Jerry) Carter schrieb: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Craig White wrote: I wonder if having some sort of wiki on samba web site wouldn't be useful for things like logon scripts and registry settings to be shared/discussed so they had their own longevity and current appropriateness as email archives don't often reflect the changing nature of things and sometimes the samba documentation has different objectives. We've talked about it before but there is a fear that a wiki would turn into a propogation mechanism for Samba urban legends. Someone (or a team of people) would need act as editors. Truthfully, if it were done right, it would be probably be a good thing. But if it weren't it would be a really bad thing. It's definitley too much for the developers to take on. IMHO Samba wiki could be a great source of info for both new and advanced users. Why should Samba wiki turn into something bad, if lots of other open source projects have wikis too, and they are useful? :-) We have a tremendous amount of urban legend on this list. Just count the number of times someone as suggested the sign-n-seal registry file for XP clients using a Samba 3.0.x server. But we have at least one volunteer, Craig. And I told him I would look into it. So we'll see what happens. Anyone else interested in monitoring/editing a wiki to ensure accurate information? cheers, jerry -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.0 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD8DBQFDRsHpIR7qMdg1EfYRAqDnAKC2y+4gW5ZawOjSQ4V/h9RFEAlWkgCg1h4I 5KHpupjaqWNbMKZa95guBJ0= =tieJ -END PGP SIGNATURE- -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: wiki.samba.org ? [was Re: [Samba] Re: SAMBA/PDC + LDAP HELP please? = For your profiles.]
Gerald (Jerry) Carter schrieb: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Craig White wrote: I wonder if having some sort of wiki on samba web site wouldn't be useful for things like logon scripts and registry settings to be shared/discussed so they had their own longevity and current appropriateness as email archives don't often reflect the changing nature of things and sometimes the samba documentation has different objectives. We've talked about it before but there is a fear that a wiki would turn into a propogation mechanism for Samba urban legends. Someone (or a team of people) would need act as editors. Truthfully, if it were done right, it would be probably be a good thing. But if it weren't it would be a really bad thing. It's definitley too much for the developers to take on. IMHO Samba wiki could be a great source of info for both new and advanced users. Why should Samba wiki turn into something bad, if lots of other open source projects have wikis too, and they are useful? -- Tomek http://wpkg.org WPKG - software deployment and upgrades with Samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: wiki.samba.org ? [was Re: [Samba] Re: SAMBA/PDC + LDAP HELP please? = For your profiles.]
Gerald (Jerry) Carter schrieb: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Tomasz Chmielewski wrote: Gerald (Jerry) Carter schrieb: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Craig White wrote: I wonder if having some sort of wiki on samba web site wouldn't be useful for things like logon scripts and registry settings to be shared/discussed so they had their own longevity and current appropriateness as email archives don't often reflect the changing nature of things and sometimes the samba documentation has different objectives. We've talked about it before but there is a fear that a wiki would turn into a propogation mechanism for Samba urban legends. Someone (or a team of people) would need act as editors. Truthfully, if it were done right, it would be probably be a good thing. But if it weren't it would be a really bad thing. It's definitley too much for the developers to take on. IMHO Samba wiki could be a great source of info for both new and advanced users. Why should Samba wiki turn into something bad, if lots of other open source projects have wikis too, and they are useful? :-) We have a tremendous amount of urban legend on this list. Just count the number of times someone as suggested the sign-n-seal registry file for XP clients using a Samba 3.0.x server. baah, some time ago I asked the same question :) when I couldn't join XP machines to the domain (where Windows 2000 was working fine) - I spent a couple of hours trying to figure out what's wrong (some old wins.dat / browse.dat on that test server was the cause). But we have at least one volunteer, Craig. And I told him I would look into it. So we'll see what happens. Anyone else interested in monitoring/editing a wiki to ensure accurate information? that's the whole beauty of wiki (at least mediawiki I used, and which is used by wikipedia.org): - you can easily see recent changes (new pages/articles, changes on pages, who made them etc.) - you can easily compare changes (i.e. compare the state of an article/page we have now with the state we had previously) - so it's just a matter of seconds to spot if someone posted crap or something valuable I think the most important thing (and the hardest, too) would be to design good categories to post articles in (some articles would be of course in multiple categories), like: - different Samba versions (2, 3, 4...) - backends - printing - configuration - installation etc. Basically, lots of categories could come from Samba HOWTO, but wouldn't be just the articles copied/pasted from the HOWTO, but something posted by the users, and eventually commented, corrected etc. I could imagine myself commenting the sign'n'seal hack :) -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Re: SAMBA/PDC + LDAP HELP please?
Ok, I figured it out!! Thank you for the help and for others the change was in /etc/ldap.conf and I had: rootbinddn = cn=root,ou=???,dc=beefylinux,dc=com i removed the ou=group after root and changed rootbinddn to just binddn and that did it.. Everything works great except for the profiles which the windows machine doesn't seem to know about %L variable. I imagine this is because I am on Samba 3.0.10 not 3.0.20a so maybe its a new variable... Anyway, just wanted to say Thank you to everyone for the help. The microsoft rep. assigned to out company is not going to be happy next week when time to renew!! ha, i love it. --Ryan Taylor [EMAIL PROTECTED] Micro Consultants -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Re: samba PDC -- really stuck here
Under your smb.conf file change the logon path = \\%N\profiles\%u to logon path = and this will have it use the local machine. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Re: Samba PDC + Openldap (no database connection established after reboot)
Finally, one I can answer! Hi, all. I really need your helps in determing what I did wrong. I have been trying to setup Samba PDC (not using TLS at this initial stage yet) by hand on SLES 9.1 and did not use YAST because somehow it just did not work. I followed all the steps from the The Linux Samba-OpenLDAP Howto (1.10) from IDEALX.org) and Chapter 5 Making Happy Users from the book and a bunch of other papers, and finally I got something working. I was able to do: snip Basically many steps recommended for testing and all the outputs are correct according to the example outputs. I did turn on debbuging values for all components and everything seems to work ok without any errors. So I rebooted the server and then after everything came up, I tried to do these testings again, Now slapcat, ldsearch would show no outputs and the log show no error of any kinds (from my intepretation). I set up everything again and backup all the config files just in case. I rebooted the server and the same problem happened. Are you by any chance using ReiserFS? There is a bug in the SuSE kernel in SLES9 (there is no SLES9.1 by the way, though SLES9 is up to sp2 now). SuSE just issued an update yesterday for this bug, so all you need to do is run YAST and update your kernel and you're good to go. -- Charles -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Re: Samba + PDC + LDAP (Sun One DS 5.2, Messaging and Identity)
Hafiz Abdul Rehman [EMAIL PROTECTED] wrote: I am planing to install Samba as PDC for Windows XP Machines and LDAP (Sun ONE DS 5.2 + Messaging + Identity ) as backend sam if some one have already setup this kind of environment and can write down the steps in which order i have to install and configure products what would be great I'd suggest thinking about the design a bit more - the basic question is: what is the purpose of Sun Messaging and Identity Servers ? The latter might be highly useful (at least judging from specs) when integrating with legacy MS Active Directory but I can't think of any use of the former ;-) The Directory Server is a very solid and feature rich Ldap implementation though. What you will need to tweak: - uploading the samba schema - configuring the TLS for secure communication with samba If you're going to deploy samba on Solaris I'd suggest compiling with openldap libraries. But do not switch the whole solaris ldap client side to it. The native tools are very mature and can be configured easily with DS in a secure way (because of proxyagent). Let us know if you have any specific problem. Cheers, -- Michal Kurowski [EMAIL PROTECTED] -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Re: Samba PDC setting up user groups and policies (Help)
Sounds like your users are not being mapped to the Domain Users ntgroup. 'net groupmap list' on the PDC will tell you what unixgroup the Domain Users ntgroup is being mapped to. Then just make sure your samba users are a member of that unixgroup. jonlists [EMAIL PROTECTED] wrote in message news:[EMAIL PROTECTED] Ouch I assume that your XP Workstations are domain members, then, right? Jon Johnston Creative Business Solutions IBM,Microsoft, Novell/Suse, Sophos Consultants http://www.cbsol.com 952-544-1108 Blog: http://bingo.cbsol.com [EMAIL PROTECTED] wrote on 01/28/2005 01:08:29 PM: I have a Samba PDC, and have problems setting up user groups to limit activity and access to file folders in Windows XP. I have administrative users that work fine. New users added as power users or regular users can log into machine client but dont even have access to the local C: drive. Cant change backgrounds or even unlock the taskbar. As long as they are added as user to the machine with admin priveleges or added to admin group the account works fine. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Re: Samba PDC Server Local SID, Domain SID, and GROUP RID Question
On Mon, Dec 13, 2004 at 09:32:27AM -0600, bryanw wrote: My samba PDC is using the tdbsam backend and, for the most part is working flawlessly. However, when using smbpasswd to add samba accounts, I always get the following error: tdb_update_sam: Failing to store a SAM_ACCOUNT for [userid] without a primary group RID Now, I've googled a lot on this and have read through the mailing list archives and know that this often has to do with people not having group mapping setup. But I do: jerry:~# net groupmap list | grep users Users (S-1-5-32-545) - users Domain Users (S-1-5-21-1590455367-7305976-751859383-513) - users As it turns out, I had group mapping set up, but too thoroughly. Found this in the archives: -- snip -- The problem can be also caused if you already have 'Domain Users - users' and add 'Users - users' since Samba mapps gid - SID by finding the first SID - gid mapping with the right gid and will fail if 'Users - users' is the first map it encounters. -- end snip -- Thanks, Bryan Walton -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Re: Samba PDC print share
I am trying to share a printer from samba to windows clients. I am using the cups subsystem. As a printer I am using Canon LBP 1120. I have found and installed the drivers from the japanese site, and I can print from linux directly on it. I managed to add the CUPS postscript drivers to the print$ share, and the printer installs on the clients without any problems. I have also set up the default preferneces of the printer to initiialize it. The problem is that after I print something from the clients I cannot print anything on the printer. I can see the job in the que but it doesn't do anything. I can't print on linux either after this. PS. sorry for the first message instead if saving it I pressed send :P -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Re: SAMBA PDC
Excuse me for lating answear, but I am ill now and have no possibillity to test this. If I am feeling better tommorow, I will test it. Yet again - thank you for helping me! On Thursday 04 November 2004 22:20, Jim C. wrote: Just delete the values for these two and then give it a try. GQ is good for this. I believe these can be set using smbldap-tools but as I recall, the tools will not accept a blank setting which is what you probably need if you want the default settings in smb.conf: sambaProfilePath: \\PDC\profiles\yyovkov sambaHomePath: \\PDC\homes Jim C. -- - | I can be reached on the following Instant Messenger services: | |---| | MSN: j_c_llings @ hotmail.com AIM: WyteLi0n ICQ: 123291844 | |---| | Y!: j_c_llingsJabber: jcllings @ njs.netlab.cz | - -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] Re: SAMBA PDC
Excuse me for lating answear, but I am ill now and have no possibillity to test this. If I am feeling better tommorow, I will test it. I hope you will be feeling better soon. I also hope that my latest advice is of some use to you as I've not encountered anything else that would cause this kind of trouble. Jim C. -- - | I can be reached on the following Instant Messenger services: | |---| | MSN: j_c_llings @ hotmail.com AIM: WyteLi0n ICQ: 123291844 | |---| | Y!: j_c_llingsJabber: jcllings @ njs.netlab.cz| - -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Re: SAMBA PDC
, you have already smb.conf, so here I will put export LDIF from one of the users I have created in LDAP: dn: uid=yyovkov, ou=People, dc=reycon,dc=com sambaLMPassword: 13670ACF22F45FEEAAD3B435B51404EE sambaPrimaryGroupSID: S-1-5-21-1952575153-1713921984-2977106978-513 displayName: System User sambaLogonScript: yyovkov.cmd objectClass: top objectClass: inetOrgPerson objectClass: posixAccount objectClass: sambaSamAccount userPassword:: e01ENX1yR0xxN0czRDZCMm9iZnUxSlN3UC9BPT0= sambaLogonTime: 0 sambaHomeDrive: H: uid: yyovkov uidNumber: 1000 cn: yyovkov sambaLogoffTime: 2147483647 sambaPwdLastSet: 1099499816 sambaAcctFlags: [U ] loginShell: /bin/bash sambaProfilePath: \\PDC\profiles\yyovkov gidNumber: 513 sambaPwdMustChange: 2147483647 sambaPwdCanChange: 1099499816 sambaNTPassword: 9AAD35A15F8A1C96621CAFC578846E51 gecos: System User sambaSID: S-1-5-21-1952575153-1713921984-2977106978-3000 description: System User homeDirectory: /home/users/yyovkov sambaKickoffTime: 2147483647 sn: yyovkov sambaHomePath: \\PDC\homes On Thursday 04 November 2004 09:32, Jim C. wrote: When the problem occure, on the Windows machine I find that %LOGONSERVER% variable is changed... So I think that the problem is near WINS, but I can not find where... OK, then let's look at something else that might be relevant. What settings do you have for the user's sambaHomePath and sambaProfilePath in the database? I believe these will be used by default over the logon path and logon home settings in smb.conf. I set mine to blank in the user's record just after adding a user. That way the system defaults to the smb.conf settings. Jim C. -- - | I can be reached on the following Instant Messenger services: | |---| | MSN: j_c_llings @ hotmail.com AIM: WyteLi0n ICQ: 123291844 | |---| | Y!: j_c_llingsJabber: jcllings @ njs.netlab.cz | - -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] Re: SAMBA PDC
Just delete the values for these two and then give it a try. GQ is good for this. I believe these can be set using smbldap-tools but as I recall, the tools will not accept a blank setting which is what you probably need if you want the default settings in smb.conf: sambaProfilePath: \\PDC\profiles\yyovkov sambaHomePath: \\PDC\homes Jim C. -- - | I can be reached on the following Instant Messenger services: | |---| | MSN: j_c_llings @ hotmail.com AIM: WyteLi0n ICQ: 123291844 | |---| | Y!: j_c_llingsJabber: jcllings @ njs.netlab.cz| - -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] Re: SAMBA PDC
OK, I still have problems to run samba as PDC. ... Can some help me, please! We'll need some data first. To start with, post the output of the testparm command. This will tell us much about your setup and will also test smb.conf for syntax errors. Jim C. -- - | I can be reached on the following Instant Messenger services: | |---| | MSN: j_c_llings @ hotmail.com AIM: WyteLi0n ICQ: 123291844 | |---| | Y!: j_c_llingsJabber: jcllings @ njs.netlab.cz| - -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Re: SAMBA PDC
Thanks for help. OK there is attached output from $ testparm -vs I have heard something about using SRV records in DDNS, are they necessary in this case? On Wednesday 03 November 2004 20:46, Jim C. wrote: OK, I still have problems to run samba as PDC. ... Can some help me, please! We'll need some data first. To start with, post the output of the testparm command. This will tell us much about your setup and will also test smb.conf for syntax errors. Jim C. -- - | I can be reached on the following Instant Messenger services: | |---| | MSN: j_c_llings @ hotmail.com AIM: WyteLi0n ICQ: 123291844 | |---| | Y!: j_c_llingsJabber: jcllings @ njs.netlab.cz | - # Global parameters [global] dos charset = CP850 unix charset = UTF8 display charset = LOCALE workgroup = REYCON-1 realm = netbios name = PDC netbios aliases = netbios scope = server string = Samba 3.0.5 interfaces = eth0, lo bind interfaces only = Yes security = USER auth methods = encrypt passwords = Yes update encrypted = No client schannel = Auto server schannel = Auto allow trusted domains = Yes hosts equiv = min passwd length = 5 map to guest = Never null passwords = No obey pam restrictions = No password server = * smb passwd file = /etc/samba/smbpasswd private dir = /etc/samba passdb backend = ldapsam:ldap://pdc.reycon.com algorithmic rid base = 1000 root directory = guest account = nobody pam password change = No passwd program = passwd chat = *new*password* %n\n *new*password* %n\n *changed* passwd chat debug = No passwd chat timeout = 2 username map = /etc/samba/smbusers password level = 0 username level = 0 unix password sync = No restrict anonymous = 0 lanman auth = Yes ntlm auth = Yes client NTLMv2 auth = No client lanman auth = Yes client plaintext auth = Yes preload modules = log level = 1 syslog = 0 syslog only = No log file = /var/log/samba/%m max log size = 50 timestamp logs = Yes debug hires timestamp = No debug pid = No debug uid = No smb ports = 139 445 protocol = NT1 large readwrite = Yes max protocol = NT1 min protocol = CORE read bmpx = No read raw = Yes write raw = Yes disable netbios = No acl compatibility = nt pipe support = Yes nt status support = Yes announce version = 4.9 announce as = NT max mux = 50 max xmit = 16644 name resolve order = wins bcast hosts max ttl = 259200 max wins ttl = 518400 min wins ttl = 21600 time server = Yes unix extensions = Yes use spnego = Yes client signing = auto server signing = No client use spnego = Yes change notify timeout = 60 deadtime = 0 getwd cache = Yes keepalive = 300 kernel change notify = Yes lpq cache time = 10 max smbd processes = 0 paranoid server security = Yes max disk size = 0 max open files = 1 socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 use mmap = Yes hostname lookups = No name cache timeout = 660 load printers = Yes printcap name = cups disable spoolss = No enumports command = addprinter command = deleteprinter command = show add printer wizard = No os2 driver map = mangling method = hash2 mangle prefix = 1 stat cache = Yes machine password timeout = 604800 add user script = /var/lib/samba/sbin/smbldap-useradd.pl -a -m '%u' delete user script = /var/lib/samba/sbin/smbldap-userdel.pl %u add group script = /var/lib/samba/sbin/smbldap-groupadd.pl -p '%g' delete group script = /var/lib/samba/sbin/smbldap-groupdel.pl '%g' add user to group script = /var/lib/samba/sbin/smbldap-groupmod.pl -m '%u' '%g' delete user from group script = /var/lib/samba/sbin/smbldap-groupmod.pl -x '%u' '%g' set primary group script = /var/lib/samba/sbin/smbldap-usermod.pl -g '%g' '%u' add machine script = /var/lib/samba/sbin/smbldap-useradd.pl -w '%u' shutdown script = abort shutdown script = logon script = scripts\logon.bat logon path = \\%L\profiles\%U
[Samba] Re: SAMBA PDC
Thanks for help. OK there is attached output from $ testparm -vs I have heard something about using SRV records in DDNS, are they necessary in this case? I doubt it. I've never used them before and mine runs fine. This could be a profile permissions issue. Is your system having any trouble createing a profile with the correct perms/ownerships? To find out, use: ls -l /var/lib/samba/profiles | grep [username] Like so: [EMAIL PROTECTED] 0 samba]$ ls -l /var/lib/samba/profiles | grep njim drwx-- 19 njim Domain Users 4096 Nov 2 23:55 njim Assumeing you want roaming profiles and not mandatory profiles, it may be best to omit the profdata share. My profiles section looks like this: [profiles] comment = Profile Share path = /var/lib/samba/profiles read only = No profile acls = Yes browseable = No hide dot files = Yes root preexec = PROFILE=/var/lib/samba/profiles/%u; if [ ! -e $PROFILE ]; \ then mkdir -pm700 $PROFILE; chown %u.%g $PROFILE; fi Now for a test, you can create the users profile directory by hand using the correct permissions and ownerships. Then log in and if the problem goes away, you know that this is the issue. The root preexec statement mentioned above causes a short script to be executed before user login. The script I've specified above will check to see if the user has a valid profile and if not it will create one with the appropriate permissions and ownerships. One would expect this to be automatic but what I found was that permissions for the parent directory nescesary for automatic profile directory creation were unexceptable (i.e. the user could save or delete files in the directory beneath thier own which is /var/lib/samba/profiles). Of course this is a bit of overhead each time someone logs in. If you want a little more of a scaleable solution, write a short script that creates the directory as the user is added to the system. Let me know if this works for you. Jim C. -- - | I can be reached on the following Instant Messenger services: | |---| | MSN: j_c_llings @ hotmail.com AIM: WyteLi0n ICQ: 123291844 | |---| | Y!: j_c_llingsJabber: jcllings @ njs.netlab.cz| - -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Re: SAMBA PDC
No, I have not problems with this... The profile is created normaly... When the problem occure, on the Windows machine I find that %LOGONSERVER% variable is changed... So I think that the problem is near WINS, but I can not find where... Could you send me some smb.conf example which works fine? On Wednesday 03 November 2004 22:47, Jim C. wrote: Thanks for help. OK there is attached output from $ testparm -vs I have heard something about using SRV records in DDNS, are they necessary in this case? I doubt it. I've never used them before and mine runs fine. This could be a profile permissions issue. Is your system having any trouble createing a profile with the correct perms/ownerships? To find out, use: ls -l /var/lib/samba/profiles | grep [username] Like so: [EMAIL PROTECTED] 0 samba]$ ls -l /var/lib/samba/profiles | grep njim drwx-- 19 njim Domain Users 4096 Nov 2 23:55 njim Assumeing you want roaming profiles and not mandatory profiles, it may be best to omit the profdata share. My profiles section looks like this: [profiles] comment = Profile Share path = /var/lib/samba/profiles read only = No profile acls = Yes browseable = No hide dot files = Yes root preexec = PROFILE=/var/lib/samba/profiles/%u; if [ ! -e $PROFILE ]; \ then mkdir -pm700 $PROFILE; chown %u.%g $PROFILE; fi Now for a test, you can create the users profile directory by hand using the correct permissions and ownerships. Then log in and if the problem goes away, you know that this is the issue. The root preexec statement mentioned above causes a short script to be executed before user login. The script I've specified above will check to see if the user has a valid profile and if not it will create one with the appropriate permissions and ownerships. One would expect this to be automatic but what I found was that permissions for the parent directory nescesary for automatic profile directory creation were unexceptable (i.e. the user could save or delete files in the directory beneath thier own which is /var/lib/samba/profiles). Of course this is a bit of overhead each time someone logs in. If you want a little more of a scaleable solution, write a short script that creates the directory as the user is added to the system. Let me know if this works for you. Jim C. -- - | I can be reached on the following Instant Messenger services: | |---| | MSN: j_c_llings @ hotmail.com AIM: WyteLi0n ICQ: 123291844 | |---| | Y!: j_c_llingsJabber: jcllings @ njs.netlab.cz | - -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] Re: SAMBA PDC
When the problem occure, on the Windows machine I find that %LOGONSERVER% variable is changed... So I think that the problem is near WINS, but I can not find where... OK, then let's look at something else that might be relevant. What settings do you have for the user's sambaHomePath and sambaProfilePath in the database? I believe these will be used by default over the logon path and logon home settings in smb.conf. I set mine to blank in the user's record just after adding a user. That way the system defaults to the smb.conf settings. Jim C. -- - | I can be reached on the following Instant Messenger services: | |---| | MSN: j_c_llings @ hotmail.com AIM: WyteLi0n ICQ: 123291844 | |---| | Y!: j_c_llingsJabber: jcllings @ njs.netlab.cz| - -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] Re: Samba PDC Problem
If you tried different configurations for testing, it might ends up with inconsistent SIDs. net getlocalsid will show what SID samba thinks and see if it is the consistent with your users accounts' SID or administrators SID in LDAP server. If not, then you know where your problem is. If all your accounts in ldap has consistent SID but the samba SID is different, the easist fix is net setlocalsid domain part of SID from LDAP Another consideration, have you join your PDC server into your domain? I know it is wired but your PDC will not be in your LDAP unless you join it into the domain. I don't know if this has anything to do with your problem. The last one is well-documented: on XP you need to set certain registry parameter, which I don't rember now, to zero. Hope this helps. -- Kang Kiryl Hakhovich [EMAIL PROTECTED] wrote in message news:[EMAIL PROTECTED] Hey Michael, thanks for a quick response. When i try to use BCHECKUP\Administrator it says The parameter is incorrect and does not work with ldap at all. (BCHECKUP is my domain name) I guess something wacky about my configs? Thanks. Michael Wray wrote: Sounds like Samba SID doesn't match SID being sent by XP workstation, which btw is what is being sent, not USERNAME Administrator. TO make sure it works for Admin's user name send sambamachinename\Administrator as the username...then the sid's should match. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Kiryl Hakhovich Sent: Monday, July 26, 2004 10:45 AM To: [EMAIL PROTECTED] Subject: [Samba] Samba PDC Problem Hello guys, I have a Samba 3.0.4 on FC2, it has LDAP backend. Machine authenticate users with no problem. However when i try to add XP client to domain, from that workstation, it asking for Administrator password to join to the Domain and them says Login failure: unknown user name or bad password. And at the same time record does inserts into the LDAP!? I can see it right after i got message on the screen about error. Now here is a part from server log: -- Jul 26 11:34:13 fileserver smbd[27897]: [2004/07/26 11:34:13, 0] passdb/pdb_ldap.c:ldapsam_add_sam_account(1587) Jul 26 11:34:13 fileserver smbd[27897]: ldapsam_add_sam_account: SID 'S-1-5-21-299320441-2527492060-3102699668-3000' already in the base, with samba attributes Jul 26 11:34:13 fileserver smbd[27897]: [2004/07/26 11:34:13, 0] rpc_server/srv_samr_nt.c:_samr_create_user(2267) Jul 26 11:34:13 fileserver smbd[27897]: could not add user/computer kiryha$ to passdb. Check permissions? -- Note: i can login to linux server with name 'Administrator' and have root's privileges, since ldap has uid 0 for Administrator. smb.conf has line admin users = Administrator What do i missing? Any ideas? Thank you! Sincerely, Kiryl Hakhovich. -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Re: Samba PDC Problem
The last one is well-documented: on XP you need to set certain registry parameter, which I don't rember now, to zero. This was only an issue for samba pre 3.0, since the 3.0 release it is no longer needed. You're most likely referring to the SignOrSeal registry patch. Hope this helps. -- Kang Kiryl Hakhovich [EMAIL PROTECTED] wrote in message news:[EMAIL PROTECTED] Hey Michael, thanks for a quick response. When i try to use BCHECKUP\Administrator it says The parameter is incorrect and does not work with ldap at all. (BCHECKUP is my domain name) I guess something wacky about my configs? Thanks. Michael Wray wrote: Sounds like Samba SID doesn't match SID being sent by XP workstation, which btw is what is being sent, not USERNAME Administrator. TO make sure it works for Admin's user name send sambamachinename\Administrator as the username...then the sid's should match. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Kiryl Hakhovich Sent: Monday, July 26, 2004 10:45 AM To: [EMAIL PROTECTED] Subject: [Samba] Samba PDC Problem Hello guys, I have a Samba 3.0.4 on FC2, it has LDAP backend. Machine authenticate users with no problem. However when i try to add XP client to domain, from that workstation, it asking for Administrator password to join to the Domain and them says Login failure: unknown user name or bad password. And at the same time record does inserts into the LDAP!? I can see it right after i got message on the screen about error. Now here is a part from server log: -- Jul 26 11:34:13 fileserver smbd[27897]: [2004/07/26 11:34:13, 0] passdb/pdb_ldap.c:ldapsam_add_sam_account(1587) Jul 26 11:34:13 fileserver smbd[27897]: ldapsam_add_sam_account: SID 'S-1-5-21-299320441-2527492060-3102699668-3000' already in the base, with samba attributes Jul 26 11:34:13 fileserver smbd[27897]: [2004/07/26 11:34:13, 0] rpc_server/srv_samr_nt.c:_samr_create_user(2267) Jul 26 11:34:13 fileserver smbd[27897]: could not add user/computer kiryha$ to passdb. Check permissions? -- Note: i can login to linux server with name 'Administrator' and have root's privileges, since ldap has uid 0 for Administrator. smb.conf has line admin users = Administrator What do i missing? Any ideas? Thank you! Sincerely, Kiryl Hakhovich. -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba -- Paul Gienger Office: 701-281-1884 Applied Engineering Inc. Information Systems Consultant Fax:701-281-1322 URL: www.ae-solutions.commailto: [EMAIL PROTECTED] -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] Re: samba PDC
something like net rpc join -W domainname -U Administrator%password -- KS my diva [EMAIL PROTECTED] wrote in message news:[EMAIL PROTECTED] hi...mailers i have s PDC server. and i have two client using windows and Linux. In windows client no problem but in Linux client i have the problem. so...how to join linux client in my PDC server? i need help because this is my project. thanks.. regards Rian - Do you Yahoo!? New and Improved Yahoo! Mail - Send 10MB messages! -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Re: Samba PDC + WinXP = problems fetching remote profiles
Hi. Hi Dendik congrats on solving your problem. Thanks. are you using samba3 ?i Yes, i am. How did you go with group policies on Xp? Hmm... The most correct answer would be i don't know. After i fixed the hardware problem, the only thing i did on client machines was to enter the domain -- and there were no problems with roaming profiles. Could you describe your problem better -- i digged a lot of info and can be of some help, probably. Dendik. -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] Re: Samba PDC + WinXP = problems fetching remote profiles
Hi. Finally!!! I got it working!!! The only thing i did was to replace server's builtin 3Com Gigabit network card with SMC1255(100Mb. I tried to force settings of 3Com -- to half duplex mode, or to other speed -- but it did not let me exceed autodetection, and autodetection was half duplex/100Mb. I still can not figure out, why such low-level hardware replacement cured such high-level software problems -- but this makes no matter for me right now, since it works, and it works fine. Special thanks to Dragan Krnic, who was almost the only one trying to help me on this list. Dendik. PS. I confirm: recent WinXP's do not require either RequireSignOrSeal, or mmc, or WebClient service, or EAP patches. (Though some of these patches -- e.g. group policies in mmc and one of registry patches, which Dragan sent me -- are useful for making things smoother) -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] Re: Samba PDC + WinXP = problems fetching remote profiles
More than one week of fighting -- and still no result. I'm stuck at the very same point. Right now i had to make the system work just any way -- at least like file server for window$ clients. But the problem with file downloading still persists. And i really have no idea of what i do wrong. You still have the problem! So sorry. I installed an XP yesterday. All I had to do was set network properties and register the SignOrSeal patch (WinXP_SignOrSeal.reg). I left the default IEEE 802.1X EAP setting (Smartcard or other...) and didn't disable the Web client service either, just to see what kind of problems other people have. Well, I had no problem whatsoever. I can login in and out in a couple of seconds. I can transfer the Win2K-SP4 (137 MB) in both directions under 15 sec. I don't know what your problem is but in your shoes I would try from scratch, with a very uncomplicated setup - just the server and a freshly installed client connected via a crossed cable and build from there. Chances are that something completely different is your problem, but you need to find it out slowly and systematically. Sounds like symptoms of activated Web Client service. Maybe the point is about EAP -- i did not quite Still no help. I even tried to select each prorocol, deselect each of their checkboxes and then deselect IEEE 802.1x, as someone reported this may help -- no result. I wonder what other problem in client network configuration can be masked by switching EAP and Web client off. I've seen the problem only on an XP client, a laptop. It wasn't severe. Opening a share or a shared subdirectory would stall for several seconds although it takes no time on other clients. When I disabled Web client and EAP those symptoms were gone. With my new XP box I also tried and disabled both EAP and Web client. No difference. Same login and transfer speed. EAP and Web client obviously do not need to be a problem on an otherwise correctly set up server and clients communicating through decent wires and switches. I'm afraid no one can help you but you yourself. Go slowly from simple to more complex. Be sure what works and you'll find out what the problem was. Perhaps you should first test how fast ftp client works. Get advanced SPAM filtering on Webmail or POP Mail ... Get Lycos Mail! http://login.mail.lycos.com/r/referral?aid=27005 -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] Re: Samba PDC + WinXP = problems fetching remote profiles
Hi. The situation turned out even more mysterious i seemed before. I got two new XP boxes, obviously those are XP/pro without SP1 (did not check that, but it required much more updates than other XP boxes, and ver tells it's the same XP/2002/2600). So i tried out carefully step-by-step installation of those machines. I stopped when they were in domain mode, before any RequireSignOrSeal/WebClient/ EAP patches and they worked fine, a few seconds per log in, no trouble with downloading/uploading, just perfect!!! So i reinstalled XP on one of other 20 machines. And nothing changed -- files still wont download even before entering domain mode. More fun: there are several samba servers in other networks, and all (now 22) machines can access them without any problems. I did try to port their smb.conf to my server, but they have samba 2.2 and i did not decide yet to make that big retract. Now i decided to run diff on XP distribs and find out what the difference is in to see if i can fix it. Will report after i complete. Anyway, it's at least very strange behaviour!! Dendik. -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] Re: Samba PDC + WinXP = problems fetching remote profiles
Hi. More than one week of fighting -- and still no result. I'm stuck at the very same point. Right now i had to make the system work just any way -- at least like file server for window$ clients. But the problem with file downloading still persists. And i really have no idea of what i do wrong. Sounds like symptoms of activated Web Client service. Maybe the point is about EAP -- i did not quite Still no help. I even tried to select each prorocol, deselect each of their checkboxes and then deselect IEEE 802.1x, as someone reported this may help -- no result. Dendik. -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] Re: Samba PDC + WinXP = problems fetching remote profiles
Hi! Sounds like symptoms of activated Web Client service. Probably, i even found the message you were talking about, and the symptoms really look the same, but strangely, disabling WebClient did not help -- maybe there is some result, but the one i do not notice :). There HAVE to be something Damian Gerow have done, that he did not tell... Maybe the point is about EAP -- i did not quite understand it. If anyone knows, what are symptoms of EAP being turned on/off (and where to turn it on/off -- is it in properties of network connection and called $(regexp 'IEEE [0-9]{3}.[0-9]') ), please tell me. Yes, of course. How silly of me. You're domain is .ru Hmm. It was twice as strange for me because by your name i thought that you are from either one of post-USSR republics, or from one of their neighbour republics, where cyrillic is also ofen used. Dendik. -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] Re: Samba PDC + WinXP = problems fetching remote profiles
Sounds like symptoms of activated Web Client service. Probably, i even found the message you were talking about, and the symptoms really look the same, but strangely, disabling WebClient did not help -- maybe there is some result, but the one i do not notice :). There HAVE to be something Damian Gerow have done, that he did not tell... Maybe the point is about EAP -- i did not quite understand it. If anyone knows, what are symptoms of EAP being turned on/off (and where to turn it on/off -- is it in properties of network connection and called $(regexp 'IEEE [0-9]{3}.[0-9]') ), please tell me. You can choose between 3 EAPs: PEAP, MD5 challenge and SmartCard or other certificate in LAN Link properties under the tab Authentication if you enable IEEE 802.1X Authentication. I switched it off altogether when I killed Web client service. Yes, of course. How silly of me. You're domain is .ru Hmm. It was twice as strange for me because by your name i thought that you are from either one of post- USSR republics, or from one of their neighbour republics, where cyrillic is also ofen used. Close. We used to use both before we started fighting about it. Very few typewriters had cyrillic and in IT the standard is not to use cyrillic. Get advanced SPAM filtering on Webmail or POP Mail ... Get Lycos Mail! http://login.mail.lycos.com/r/referral?aid=27005 -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] Re: Samba PDC + WinXP = problems fetching remote profiles
[global] ... dos charset = CP866 display charset = KOI8-R unix charset = KOI8-R Probably just a matter of taste. Actually, not a taste, but a language -- russian. Yes, of course. How silly of me. You're domain is .ru ; preferred master = No ; local master = Yes My smb.conf has both set to Yes. In addition to that My also had some time ago. It's the result of me experimenting in hope to make it work. I set this registry on all clients: HKEY_LOCAL_MACHINE\System\CurrentControlSet\ \Services\Browser\Parameters\ \MaintainServerList=No instead of default Auto. Never seen a link to this patch. Thanx. It's not a panacea but it keeps the clients from initiating browser elections, if you know they'll lose it every time. It's an old trick. It probably only makes a significant impact with large number of clients. Get advanced SPAM filtering on Webmail or POP Mail ... Get Lycos Mail! http://login.mail.lycos.com/r/referral?aid=27005 -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] Re: Samba PDC + WinXP = problems fetching remote profiles
I have recently recogized that the problem of domain logons is at least closely connected to the problem of downloading big files (i.e. files larger than something about 4k or even 2k). The symptoms are the following: 1. There are two differently behaving groups of programs: network neighbourhood (or something like that) and windows explorer, FAR, (i suppose that Window Commander -- for those who don't know what FAR is) and so on. 2. Network Neighbourhood almost refuses to do anything on Samba shares -- it has long stall upon entering directories with names longer than 8 chars, and i don't remember it to be able to perform any file download/upload operations at all. 3. WinExplorer can browse shares freely, unless it encounters directory containing more than 25 entries (very strange limit -- but i checked, the limit is 25), where it stalls for 2 minutes. Also downloading files larger than something about 2 or 4 K always stalls for two minutes, and (under some unclear circumstances) sometimes fail completely. Sounds like symptoms of activated Web Client service. If you have missed it a few days ago, it appears that the new, XP-specific service called Web Client, automatically enabled by default, creates all kinds of performance and access problems. I only have 1 XP client in my network but it suddenly started acting normally, just like any other Win2K clients, after I disabled this service. By the way, I still can't figure out what FAR is. [global] ... dos charset = CP866 display charset = KOI8-R unix charset = KOI8-R Probably just a matter of taste. ; preferred master = No ; local master = Yes My smb.conf has both set to Yes. In addition to that I set this registry on all clients: HKEY_LOCAL_MACHINE\System\CurrentControlSet\ \Services\Browser\Parameters\ \MaintainServerList=No instead of default Auto. Get advanced SPAM filtering on Webmail or POP Mail ... Get Lycos Mail! http://login.mail.lycos.com/r/referral?aid=27005 -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] Re: Samba PDC + WinXP = problems fetching remote profiles
Hi! Thanks for advices you gave, hopefully they'll help. (right now i can't reach the computer class) Sounds like symptoms of activated Web Client service. ... I found some references about Web Client somewhere (don't remember where right now), ant even tried to turn it off, but mistakenly i turned off Win support for IPC$ (after a day of digging info on the Web and trying to fix it :), and after i recognized what exactly i've done, i stopped considering turning off Web Client as a way to solve the problem. Definitely i missed this topic a few months ago, since i started ANY using of samba only in July this year. But probably several of links i googled about Web Client were on the Samba mailing list. By the way, I still can't figure out what FAR is. FAR is File Manager, like WinExplorer, but styled like old DOS-time file managers -- Norton Commander, Volkov Commander, Dos Navigator. Differences from WinExplorer are mainly having two panels for keyboad-friendlyness and having support for many tools and actions (like archivers, not using win file aliases and even mostly not using win extracters) and having may builtin tool on their own. Hmm. This seems really offtopic, but if it gave you a tiny bit of useful knowlege, i'm happy :). [global] ... dos charset = CP866 display charset = KOI8-R unix charset = KOI8-R Probably just a matter of taste. Actually, not a taste, but a language -- russian. ; preferred master = No ; local master = Yes My smb.conf has both set to Yes. In addition to that My also had some time ago. It's the result of me experimenting in hope to make it work. I set this registry on all clients: HKEY_LOCAL_MACHINE\System\CurrentControlSet\ \Services\Browser\Parameters\ \MaintainServerList=No instead of default Auto. Never seen a link to this patch. Thanx. Dendik. -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] Re: Samba PDC + WinXP = problems fetching remote profiles
But when i tried to log in with that very account from another machine, i got Win hanging up for about two minutes and blaming approximately the following way: Windows can't log you on with local profile, using temporary profile. Changes done to this profile will be lost after you log off (phrase `local profile` seemed strange to me, but Win really does what it should do, except not down/up loading the profiles). After the message disappears or i hit OK, Win loggs in normally, downloads logon.bat and seems to behave fine, but the profile is really removed after log off. Many problems result in this message. One is you need a [profiles] share with a subdir named after each user. That user needs to have full access to it, for example 0700, belongs to user:users. You also need a [netlogon] share even if you don't use it. Try this scheme: [global] logon path = \\samba-srv\profiles\%U [netlogon] path = /some-existing-path/netlogon write list = ntadmin browseable = No [profiles] path = /some-existing-path/profiles valid users = %U read only = No browseable = No inherit permissions = No Sometimes an already existing profile is the problem. Try removing it (save it first for reference) and logging in afresh. Get advanced SPAM filtering on Webmail or POP Mail ... Get Lycos Mail! http://login.mail.lycos.com/r/referral?aid=27005 -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] Re: Samba PDC + WinXP = problems fetching remote profiles
Hi! Thanks for answering, but unfortunately, this seems to be of no help. I already had [netlogon] service in my config (to avoid further confusion, i add my smb.conf at the end of this file), the only option i did not have was inherit permissions = No, which does not seem to be useful for solving the problem (and did not help also). I have recently recogized that the problem of domain logons is at least closely connected to the problem of downloading big files (i.e. files larger than something about 4k or even 2k). The symptoms are the following: 1. There are two differently behaving groups of programs: network neighbourhood (or something like that) and windows explorer, FAR, (i suppose that Window Commander -- for those who don't know what FAR is) and so on. 2. Network Neighbourhood almost refuses to do anything on Samba shares -- it has long stall upon entering directories with names longer than 8 chars, and i don't remember it to be able to perform any file download/upload operations at all. 3. WinExplorer can browse shares freely, unless it encounters directory containing more than 25 entries (very strange limit -- but i checked, the limit is 25), where it stalls for 2 minutes. Also downloading files larger than something about 2 or 4 K always stalls for two minutes, and (under some unclear circumstances) sometimes fail completely. I seem to be really stuck with these errors, and i feel like i just look in wrong direction, so any genious ideas will be gratefully accepted :). (Even any ideas that will help me to fix the thing :). On Thu, Aug 22, Dragan Krnic [EMAIL PROTECTED] wrote: Many problems result in this message. One is you need a [profiles] share with a subdir named after each user. That user needs to have full access to it, for example 0700, belongs to user:users. You also need a [netlogon] share even if you don't use it. Sometimes an already existing profile is the problem. Try removing it (save it first for reference) and logging in afresh. # ### Here go the most important parts from my smb.conf [global] ; Network names and alike workgroup = COMPUTER_CLASS netbios name = kodomo server string = Kodomo Samba %v comment = BoiInformatic Computer Class ; Charset convertion dos charset = CP866 display charset = KOI8-R unix charset = KOI8-R ; Security security = user encrypt passwords = Yes min passwd length = 6 null passwords = Yes wide links = No passdb backend = smbpasswd log level = 1 log file = /var/log/samba/log.smbd.%m max log size = 1 ; Netlogon domain logons = Yes logon script = logon.bat logon path = \\kodomo\profiles\%U logon drive = H: logon home = \\kodomo\%u ; Browse master ; preferred master = No ; local master = Yes domain master = Yes os level = 64 [netlogon] path = /home/export/samba/netlogon write list = root read only = Yes ; browseable = No public = No veto oplock files = /NTUSER.DAT /ntuser.ini [profiles] path = /home/export/samba/profiles read only = No create mask = 0600 directory mask = 0700 ; browsable = No [homes] comment = Home directory for %u invalid users = root browseable = No read only = No # Dendik. -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] Re: samba-PDC problem
Your post says that you can access the profiles directory on the server. Make sure you can write to it as well. The Linux file permissions need to be correct. The following document has some good info. on setting up roaming profiles. Note that it deals with Samba 2.x but the info. may still be relevant to Samba 3.x. http://www-1.ibm.com/servers/esdd/tutorials/samba/index.html [EMAIL PROTECTED] wrote in message news:[EMAIL PROTECTED] I am trying to get roaming profiles working for my Win2K workstation and run a group login script at logon. My user account (traxx) can join and logon to the domain (DATA) but I get 2 error messages after authentication: 1 'Windows cannot create profile directory \\henry\dcarter\profile.pds. You will be loggeed on with a local profile only. Changes to the profile will not be propogated to the server. Contact your network administrator.' 2-'Windows cannot find the local profile is logging you on with a temporary profile. Changes you make to this profile will be lost when you log off.' These are the relevant lines from my smb.conf: workgroup=DATA netbios name=DATASERVER logon script=%g.bat domain logons=yes [Profiles] path=/home/profiles create mask=0777 read only=no browseable=no I can access \\henry\profiles from the run command okay I have also tried: path=/home/users/%u to store profiles in home directories e.g. mine would be /home/users/traxx but I get the same error messages. By the way my samba logs also says: [2003/07/27 14:56:31, 0] rpc_server/srv_netlog.c:api_net_sam_logon(206) api_net_sam_logon: Failed to marshall NET_R_SAM_LOGON. [2003/07/27 14:56:31, 0] rpc_server/srv_pipe.c:api_rpcTNP(1200) api_rpcTNP: api_netlog_rpc: NET_SAMLOGON failed. [2003/07/27 14:56:35, 0] smbd/service.c:make_connection(248) traxx (192.168.0.55) couldn't find service profiles Can anybody help? Thank you -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] Re: samba pdc problem
You need to add the line domain admin group = user1 user2 @group1 @group2 -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] Re: Samba PDC Windows XP
try in reg do xp alterar: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\netlogon\parameters RequireSignOrSeal=dword:Jose Gabriel Garcia Araujo [EMAIL PROTECTED] escreveu na mensagem news:[EMAIL PROTECTED] I have configured Samba as a PDC and I have 2 Xp computers I can logon in the domain I see the shares of the samba server from the windows XP machines but I cant see the shares of the Windows XP machines from the Samba server. I always get the sema error: added interface ip=192.168.0.3 bcast=192.168.0.255 nmask=255.255.255.0 Got a positive name query response from 192.168.0.3 ( 192.168.0.1 ) Password: session setup failed: NT_STATUS_TRUSTED_RELATIONSHIP_FAILURE Any Ideas? -- Jose Gabriel Garcia Araujo [EMAIL PROTECTED] Adicora.net -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] Re: SAMBA PDC User Permissions, Admin Settings, and Logon?
Correct that - On Issue 2, I get no access at all. Nolan Nolan Garrett wrote: Hi all! First off, I'd like to thank you for the help you've previously given me. I'd like to state a few of the problems I am now experiencing, and you all can provide insight. I've read all the documentation I can find and have surfed the archives for this newsgroup, but to no avail. Any help would be greatly appreciated! (I am using SAMBA 2.2.7) Issue 1: If I don't have every user listed in the admin users = section that I want to allow logon access, they cannot log on. I usually get a domain unavailable error. Issue 2: If I don't set up each user account (w/ domain) on the WinXP machine I want to logon to, I get some kind of very, very limited logon. It almost seems to be corrupted. Issue 3: This is my main frustration - I cannot seem to block access to other peoples shares! EG user chrisg can access the nolan share, etc. Final Issue: Not a big problem, but I can't figure out how to set up the CUPS drivers for the pdf-generator. Is it a winbind problem, bad config, or am I just a moron? Attached is my smb.conf # Samba config file created using SWAT # from gridlock.workgroup.net (192.168.0.5) # Date: 2003/02/24 18:08:30 # Global parameters [global] netbios name = MAIN server string = Samba Server %v encrypt passwords = Yes passwd program = /usr/bin/passwd %u passwd chat = *New*UNIX*password* %n\n *Retype*new*UNIX*password * %n\n *Enter*new*UNIX*password* %n\n *Retype*new*UNIX*password* %n\n *p asswd: *all*authentication*tokens*updated*succesfully* unix password sync = Yes log level = 1 log file = /var/log/samba/log.%m max log size = 50 socket options = TCP_NODELAY IPTOS_LOWDELAY SO_KEEPALIVE SO_RCVBU F=8192 SO_SNDBUF=8192 printcap name = cups domain admin group = @admins add user script = /usr/sbin/useradd -d /dev/null -g machines -s /bin /false -M %u logon script = %U.bat logon path = \\main\profiles\%U logon drive = Z: logon home = \\main\%U\.profile domain logons = Yes os level = 99 domain master = Yes dns proxy = No wins support = Yes winbind uid = 1-2 winbind gid = 1-2 ; valid users = ahayes root danielleg chrisg rickg nolan admin users = root nolan chrisg rickg danielleg alyssag printer admin = nolan root hosts allow = 192.168.0. 127. ; profile acls = Yes printing = cups [homes] comment = Home Directory for %u read only = No create mask = 0660 directory mask = 0770 browseable = No oplocks = No level2 oplocks = No [netlogon] comment = Network Logon Service path = /var/lib/samba/netlogon write list = root nolan [profiles] path = /var/lib/samba/profiles read only = No create mask = 0600 directory mask = 0700 guest ok = Yes browseable = No csc policy = disable [printers] comment = All Printers path = /var/spool/samba printer admin = root nolan guest ok = Yes printable = Yes browseable = No [print$] comment = Printer Drivers path = /etc/samba/drivers write list = root nolan [pdf-generator] comment = PDF Generator (only valid users!) path = /var/tmp printable = Yes print command = /usr/share/samba/scripts/print-pdf %s ~%u %L %u %m [public] comment = Public path = /home/samba/public read only = No guest ok = Yes -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] RE: SAMBA PDC User Permissions, Admin Settings, and Logon?
Thank you! This definitely fixed the mapping problem. Now if I could only make my logons TRULY roaming... Nolan Rob Savage wrote: Hey Nolan, I can easily give you an answer to I3 Issue 3: This is my main frustration - I cannot seem to block access to other peoples shares! EG user chrisg can access the nolan share, etc. [homes] comment = Home Directory for %u read only = No create mask = 0660 directory mask = 0770 browseable = No oplocks = No level2 oplocks = No Try adding these: Valid users = %U Path = /home/%u Guest ok = No --- Have an excellent day, Rob Savage -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Nolan Garrett Sent: February 24, 2003 11:49 AM To: [EMAIL PROTECTED] Subject: [Samba] SAMBA PDC User Permissions, Admin Settings, and Logon? Hi all! First off, I'd like to thank you for the help you've previously given me. I'd like to state a few of the problems I am now experiencing, and you all can provide insight. I've read all the documentation I can find and have surfed the archives for this newsgroup, but to no avail. Any help would be greatly appreciated! (I am using SAMBA 2.2.7) Issue 1: If I don't have every user listed in the admin users = section that I want to allow logon access, they cannot log on. I usually get a domain unavailable error. Issue 2: If I don't set up each user account (w/ domain) on the WinXP machine I want to logon to, I get some kind of very, very limited logon. It almost seems to be corrupted. Issue 3: This is my main frustration - I cannot seem to block access to other peoples shares! EG user chrisg can access the nolan share, etc. Final Issue: Not a big problem, but I can't figure out how to set up the CUPS drivers for the pdf-generator. Is it a winbind problem, bad config, or am I just a moron? Attached is my smb.conf # Samba config file created using SWAT # from gridlock.workgroup.net (192.168.0.5) # Date: 2003/02/24 18:08:30 # Global parameters [global] netbios name = MAIN server string = Samba Server %v encrypt passwords = Yes passwd program = /usr/bin/passwd %u passwd chat = *New*UNIX*password* %n\n *Retype*new*UNIX*password * %n\n *Enter*new*UNIX*password* %n\n *Retype*new*UNIX*password* %n\n *p asswd: *all*authentication*tokens*updated*succesfully* unix password sync = Yes log level = 1 log file = /var/log/samba/log.%m max log size = 50 socket options = TCP_NODELAY IPTOS_LOWDELAY SO_KEEPALIVE SO_RCVBU F=8192 SO_SNDBUF=8192 printcap name = cups domain admin group = @admins add user script = /usr/sbin/useradd -d /dev/null -g machines -s /bin /false -M %u logon script = %U.bat logon path = \\main\profiles\%U logon drive = Z: logon home = \\main\%U\.profile domain logons = Yes os level = 99 domain master = Yes dns proxy = No wins support = Yes winbind uid = 1-2 winbind gid = 1-2 ; valid users = ahayes root danielleg chrisg rickg nolan admin users = root nolan chrisg rickg danielleg alyssag printer admin = nolan root hosts allow = 192.168.0. 127. ; profile acls = Yes printing = cups [homes] comment = Home Directory for %u read only = No create mask = 0660 directory mask = 0770 browseable = No oplocks = No level2 oplocks = No [netlogon] comment = Network Logon Service path = /var/lib/samba/netlogon write list = root nolan [profiles] path = /var/lib/samba/profiles read only = No create mask = 0600 directory mask = 0700 guest ok = Yes browseable = No csc policy = disable [printers] comment = All Printers path = /var/spool/samba printer admin = root nolan guest ok = Yes printable = Yes browseable = No [print$] comment = Printer Drivers path = /etc/samba/drivers write list = root nolan [pdf-generator] comment = PDF Generator (only valid users!) path = /var/tmp printable = Yes print command = /usr/share/samba/scripts/print-pdf %s ~%u %L %u %m [public] comment = Public path = /home/samba/public read only = No guest ok = Yes -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] re: Samba PDC shared applications and a default start menuprofile (Kevin S. Brackett)
Hi I'm currently doing exactly this for several sites. Within Win2K and above it is possible to configure Local Group Policy Objects, so that the ALLUSERPROFILES value is pointed to %LOGONSERVER%\Software\Documents and Settings\All Users\Start Menu Thus when a user logs in, they see the the menus stored in their profile, overlayed by these on the Network Drives. The using the same techniques used by tools such as SMS, and InstallRite, applications are wrapped and installed onto a Network only Drive. When a user clicks on the Application Icon, pointed to by the ALLUSERPROFILE Menu tree, the application is installed. So far, we've been able to wrapp most applications this way, from vendors such as Borland, Adobe, MacroMedia and Microsoft. For details of this http://www.appdeploy.com has more details of how to do this. Please note this doesn't work for all applications, for instance MicroSoft Office need some neat tricks to ensure that it installs a few things which need to be on the local C: Hopes this helps Edmund -- Edmund J. Sutcliffe Thoughtful Solutions; Creatively [EMAIL PROTECTED] Implemented and Communicated http://panic.fluff.org+44 (0) 7976 938841 -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] Re: samba PDC and windows xp profiles...
OK, after downloading the entire source for Samba 2.2.7a and compiling, instead of simply patching up to 2.2.7a, I no longer have the issue of writing to the Cookies folder in the win9x profile. There is an issue with the win9x machine not shutting down, but that may be a machine issue, so I will troubleshoot that some more. However, the winXP is getting a new error which I am not 100% sure about: Windows did not load your roaming profile and is attempting to log you on with your local profile. Changes to profile will not be copied to the server when you log off. Windows did not load your profile because a server copy of the profile folder already exists that does not have the correct security. Either the current user or the Administrator's group must be the owner of the folder. Contact your network administrator. Again, here is the smb.conf and ls -l of the profiles folder: drwxrwxrwt4 root users4096 Dec 9 16:28 profiles and profiles/ drwxrwxrwx2 banderso geo 4096 Dec 6 17:05 banderson (Obviously, the username is banderson, and the users group is geo (the grp ownership was root, to begin with, but I changed it to geo and got the same error) smb.conf: # Samba config file created using SWAT # from 0.0.0.0 (0.0.0.0) # Date: 2002/11/17 15:45:04 # Global parameters [global] ; Basic server settings workgroup = REEDNET netbios name = REGMAIN security = USER ; we should act as the domain and local master browser os level = 65 domain master = yes local master = yes preferred master = yes ; encrypted passwords are a requirement for a PDC encrypt passwords = yes ; support domain logons domain logons = yes ; where to store user profiles? logon path = \\%L\profiles\%U ; where is a user's home directory and where should it ; be mounted at? logon drive = x: logon home = \\%L\%U\.profile ; needed for win9x profiles preserve case = yes short preserve case = yes case sensitive = no ; specify a generic logon script for all users ; this is a relative **DOS** path to (from) the [netlogon] share logon script = logon.bat ; specific password (lack of) requirements min passwd length = 0 null passwords = yes passwd program = /usr/bin/passwd -u %u unix password sync = yes ; Logging options log level = 3 log file = /usr/local/samba/var/log.%m max log size = 50 ; Tuning options deadtime = 15 keepalive = 0 ; Special users and handlers domain admin group = root amccaleb message command = /bin/mail -s 'message from %f on %m' root %s; rm %s hide local users = no admin users = root amccaleb wins support = yes add user script = /usr/sbin/useradd -d /dev/null -g 110 -s /bin/false -M %u [homes] path = %H valid users = %S read only = no guest ok = no create mask = 0777 directory mask = 0777 browseable = yes level2 oplocks = yes dos filetimes = yes ; share for storing nt/2k/xp user profiles [profiles] path=/srv/profiles read only = no create mask = 0777 directory mask = 0777 nt acl support = no browseable = yes [netlogon] path = /srv/netlogon read only = yes write list = root amccaleb -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] Re: Samba PDC.... no mapping between account names and security IDswas done
Yes I know... you will all say... asked and answered but this is ridiculous... I still cannot add my win 2k wks to my Samba domain... I have created the machine account, and the root account in smbpasswd I have checked and they DO exist... I am running Samba 2.2.6-1, the build which many on these lists claim to fix this win2k problem but as of yet... no luck... here is my smb.conf if anyone can find a problem in it # Samba config file created using SWAT # from duar (127.0.0.1) # Date: 2002/11/16 11:58:30 # Global parameters [global] workgroup = KRONOS netbios name = DUAR netbios aliases = DUAR server string = encrypt passwords = Yes update encrypted = Yes pam password change = Yes passwd program = /usr/bin/passwd %u passwd chat = *New*UNIX*password* %n\n *ReType*new*UNIX*password* %n\n *passwd:*all*authentication*tokens*updated*successfully* passwd chat debug = Yes username map = /etc/samba/smbusers unix password sync = Yes admin log = Yes log file = /var/log/samba/log.%m max log size = 50 socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 domain admin group = @DomainAdmins domain guest group = @DomainGuests domain logons = Yes os level = 33 lm announce = Yes preferred master = Yes domain master = Yes dns proxy = No winbind use default domain = Yes alternate permissions = Yes valid users = root admin users = root printer admin = root printing = lprng [homes] comment = Home Directories valid users = %S read only = No create mask = 0664 directory mask = 0775 browseable = No Yours Hopefully Steve Jackson -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] re: Samba PDC Problem (Account name security ID mapping blah blah blah)
Yes I know... you will all say... asked and answered but this is ridiculous... I still cannot add my win 2k wks to my Samba domain... I have created the machine account, and the root account in smbpasswd I have checked and they DO exist... I am running Samba 2.2.6-1, the build which many on these lists claim to fix this win2k problem but as of yet... no luck... here is my smb.conf if anyone can find a problem in it # Samba config file created using SWAT # from duar (127.0.0.1) # Date: 2002/11/16 11:58:30 # Global parameters [global] workgroup = KRONOS netbios name = DUAR netbios aliases = DUAR server string = encrypt passwords = Yes update encrypted = Yes pam password change = Yes passwd program = /usr/bin/passwd %u passwd chat = *New*UNIX*password* %n\n *ReType*new*UNIX*password* %n\n *passwd:*all*authentication*tokens*updated*successfully* passwd chat debug = Yes username map = /etc/samba/smbusers unix password sync = Yes admin log = Yes log file = /var/log/samba/log.%m max log size = 50 socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 domain admin group = @DomainAdmins domain guest group = @DomainGuests domain logons = Yes os level = 33 lm announce = Yes preferred master = Yes domain master = Yes dns proxy = No winbind use default domain = Yes alternate permissions = Yes valid users = root admin users = root printer admin = root printing = lprng [homes] comment = Home Directories valid users = %S read only = No create mask = 0664 directory mask = 0775 browseable = No Yours Hopefully Steve Jackson -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Re: Samba PDC and Kerberos(MIT or SEAM in Uinx,without microsoft ADS)
A few more questions and comments... related to this topic If Kerberos is the back-end to LDAP.. there is no need to synchronize or store a password in the LDAP tree.. just the principal for the user in the userpassword attribute: userpassword = {kerberos}name@domain in the smb.conf file do I need stuff like this? Unix password sync = yes passwd program = /some-path/to-a/script-which/synchronize-kerb-smb %u in this program synchronize-kerb-smb %u is the username and comes in as an argument, then request the password and read it in from STDIN.. ... then run a smbpasswd %u feeding the password.. and then get a valid user/admin ticket using kinit for an account validated by a keytab .. then run kadmin.local -q 'cpw -pw $password $username' to synchronize with Kerberos this has the potential to work(I think)but... im missing a few parts.. can a script like this synchronize passwords when they are forced to change their password at the client level.. say expire the users password? And what happens if they change there password using kpassword.. that has the potential to unsyncronize the passwords.. Also.. what about the adding machines trusts to the samba domain?.. I've seen where people use the: add user script = /some/adduserscript -n -g machines -c Machine -d /dev/null -s /bin/false $m$ is there any way to change the LDAP suffix before adding a machine to the LDAP tree?.. In my current setup I have all users in an ou=people area.. and so my LDAP suffix = ou=people, dc=domain.. but I don't want to add machines to this container.. I would rather put them in something like ou=hosts, dc=domain.. I have many more questions but don't want to change the topic too much... Jonathan Higgins Network Service Specialist IV [EMAIL PROTECTED] Yura Pismerov [EMAIL PROTECTED] 10/31/02 07:38PM Here what you could use: LDAP with Kerberos password backend. Samba 2.2.6 PDC with LDAP backend. Windows passwords are stored in LDAP in samba object, not in Kerberos KDC since they use incompatible encryption methods. Use Kerberos passwords as primary source and synchronize Windows passwords with them when user changes his password or administrator reset it. This setup will allow to use the same password across the board for Unix shell access and email (via pam_ldap, nss_ldap and pam_krb5) and for Windows access (via Samba PDC), and the same name space will be used everywhere (via LDAP), so no mapping needed. Of course it will require quite a few scripts to synchronize passwords, create users in LDAP and Kerberos, etc. But it works... Yongjun Rong wrote: Hi, Andrew, Thank you very much for your answer. Now our case is as below: 1, our client machine is the windows 2000 2, We want our Kerberos run in the Unix box. 3, We also want the samba as PDC for all windows user and machine. 4, We want integrate the Kerberos Authentication with samba authentication. So in this situation, can we get the kerberos login from the windows 2000 client because the windows 2000 is support kerberos authenctication. If it can, where can I start? I have already setup the environment for windows 2000 client auhtenticating himself to the Kerberos Realm in the Solaris and authenticate the samba domain user to the local windows 2k machine. But this two cases are seperated from each other which means the kerberos authentication use the kerberos password and samba PDC authentication use the smbpasswd. And I can also map(using Ksetup /mapuser) the kerberos user to the local or samba domain user and then do the authentication to the kerberos. So we really want is, when we do the samba PDC authentication we can use the kerberos password. I don't know if it right. PLS correct me . Thank you very much. John Original Message From: Andrew Bartlett Date: Mon 10/28/02 17:24 To: Yongjun Rong Cc: [EMAIL PROTECTED] Subject:Re: Samba and Kerberos(MIT or SEAM, without microsoft ADS) Yongjun Rong wrote: Hi, Andrew, This is John from Texas Tech University.I have read your reply about samba and kerberos. May I ask you some question about samba and Kerberos. 1, Is the samba can use the kerberos(Not with ADS, Just MIT or SEAM in Solaris) as the authentication services and store samba user and passwd in the kerberos database directly but not using OpenLDAP? If you can get the clients to send you a kerberos login without using ADS, then the modification is realitivly simple, and is part of the work towards an Active Directory replacement. 2, If it cannot, I know the samba has support the Kerberos with Microsoft ADS. Where can start to change the source to enable the support for MIT or SEAM in solaris? How can I do it? I have download the source of samba3.0alpha20. And I also have configure the samba as a PDC for my win2k client. You can't do PDC stuff with this kind of setup,
Re: [Samba] Re: Samba PDC and Kerberos(MIT or SEAM in Uinx,without microsoft ADS)
Jonathan Higgins wrote: A few more questions and comments... related to this topic If Kerberos is the back-end to LDAP.. there is no need to synchronize or store a password in the LDAP tree.. just the principal for the user in the userpassword attribute: userpassword = {kerberos}name@domain That is correct. I did not mean sync between Kerberos and LDAP, I mean sync between Kerberos and Samba passwords stored in LDAP. in the smb.conf file do I need stuff like this? Unix password sync = yes passwd program = /some-path/to-a/script-which/synchronize-kerb-smb %u Yes. in this program synchronize-kerb-smb %u is the username and comes in as an argument, then request the password and read it in from STDIN.. ... then run a smbpasswd %u feeding the password.. and then get a valid user/admin ticket using kinit for an account validated by a keytab .. then run kadmin.local -q 'cpw -pw $password $username' to synchronize with Kerberos Easier (not yet more secure though) way is creating a separate Kerberos principal with permissions for password change, saving the key (with ktadd -k file) in separate keytab and using the key with kadmin -k -t /path/keytab -p principal_name. Then cpw user@DOMAIN will change password for the user. The cpw command can be passed to kadmin via expect script or via STDIN (less secure though). this has the potential to work(I think)but... im missing a few parts.. can a script like this synchronize passwords when they are forced to change their password at the client level.. say expire the users password? And what happens if they change there Kerberos has his own password expiration mechanizm. You can write a script tha will scan prinipals in KDC, extract password expire dates and compare it with current date. Then, let's say 5 days before the expiration, it can start sending notifications to users. The warning message can contain a link to a webpage for the password change. password using kpassword.. that has the potential to unsyncronize the passwords.. Yes, if user changes password with kpassword, there is no way to synchronize it with Samba password. So users must be instructed to use either standard Windows way to change the passwords, or a webpage. The CGI script will take care of changing passwords in Kerberos and Samba (via smbldap utilities, for example) realms. Also.. what about the adding machines trusts to the samba domain?.. I've seen where people use the: add user script = /some/adduserscript -n -g machines -c Machine -d /dev/null -s /bin/false $m$ is there any way to change the LDAP suffix before adding a machine to the LDAP tree?.. In my current setup I have all users in an ou=people area.. and so my LDAP suffix = ou=people, dc=domain.. but I don't want to add machines to this container.. I would rather put them in something like ou=hosts, dc=domain.. Yes, you can do it with the mentioned smbldap scripts where People and Computers DNs can be configured. Then you use add user script=/path/smbldap-useradd.pl -w %m$ I have many more questions but don't want to change the topic too much... :) Jonathan Higgins Network Service Specialist IV [EMAIL PROTECTED] Yura Pismerov [EMAIL PROTECTED] 10/31/02 07:38PM Here what you could use: LDAP with Kerberos password backend. Samba 2.2.6 PDC with LDAP backend. Windows passwords are stored in LDAP in samba object, not in Kerberos KDC since they use incompatible encryption methods. Use Kerberos passwords as primary source and synchronize Windows passwords with them when user changes his password or administrator reset it. This setup will allow to use the same password across the board for Unix shell access and email (via pam_ldap, nss_ldap and pam_krb5) and for Windows access (via Samba PDC), and the same name space will be used everywhere (via LDAP), so no mapping needed. Of course it will require quite a few scripts to synchronize passwords, create users in LDAP and Kerberos, etc. But it works... Yongjun Rong wrote: Hi, Andrew, Thank you very much for your answer. Now our case is as below: 1, our client machine is the windows 2000 2, We want our Kerberos run in the Unix box. 3, We also want the samba as PDC for all windows user and machine. 4, We want integrate the Kerberos Authentication with samba authentication. So in this situation, can we get the kerberos login from the windows 2000 client because the windows 2000 is support kerberos authenctication. If it can, where can I start? I have already setup the environment for windows 2000 client auhtenticating himself to the Kerberos Realm in the Solaris and authenticate the samba domain user to the local windows 2k machine. But this two cases are seperated from each other which means the kerberos authentication use the kerberos password and samba PDC authentication use the smbpasswd. And I
Re: [Samba] Re: Samba PDC and Kerberos(MIT or SEAM in Uinx, withoutmicrosoft ADS)
Yongjun- Right now, you cannot get Samba to authenticate the user using the kerberos credentials he gets when logging in to the Kerberos Realm on the workstation. What you can do: 1. Run MIT kerberos 5 on UNIX. 2. Setup pam_krb5 in Solaris to authenticate off of the UNIX kdc. (We use the one supplied with Solaris 8. We couldn't get the Solaris 9 one to work, however. You could always replace it with the open source stuff though.) 3. Setup a Windows 2000 AD domain. Mixed or Native mode shouldn't matter. 4. Create an account/password for the AD server in the UNIX kerberos domain and trust the UNIX kerberos realm from AD with it. 5. Create accounts in AD that match the ones in the UNIX kdc and whatever you're using for passwd/group/shadow (nis, nss_ldap, etc.) with the 'username mapping' set to the username@KERBEROSREALM. The passwords can be randomized. If you need it, I have a vbscript for creating the accounts to help automate this. We're using NIS with no passwords in NIS except for the usual administrative ones since we don't control the kerberos domain here. 6. Setup Samba 2.2.6 --with-pam and in User mode. Samba will authenticate off of kerberos through pam. 7. Setup the Windows 2000 workstations via a group policy object or with a registry editor to Enable Send clear-text passwords to thrid-party SMB servers. 8. On the Windows 2000 workstations run 'ksetup.exe /addkdc REALMNAME fqdn.of.your.server'. ksetup is in the Windows 2000 resource kit. That'll work. *** However, in this configuration, you cannot get drives mapped to shares on the Samba server without the user typing in the password interactively.*** You'll need to create a script for the users to use for this purpose. ('net use U: \\server\%username% /persistent:no') Hopefully by 3.0 release the kerberos authentication will work in this setup and drive mapping can be done automatically and we can do things like Folder Redirection to samba shares! Additional cool things would involve editing the resources in the MSGINA.DLL to add some more explanatory info for users so that they know to login to the '(Kerberos Realm)' and not the local workstation or AD domain. Donald Saltarelli On Thu, 2002-10-31 at 12:28, Yongjun Rong wrote: Hi, Andrew, Thank you very much for your answer. Now our case is as below: 1, our client machine is the windows 2000 2, We want our Kerberos run in the Unix box. 3, We also want the samba as PDC for all windows user and machine. 4, We want integrate the Kerberos Authentication with samba authentication. So in this situation, can we get the kerberos login from the windows 2000 client because the windows 2000 is support kerberos authenctication. If it can, where can I start? I have already setup the environment for windows 2000 client auhtenticating himself to the Kerberos Realm in the Solaris and authenticate the samba domain user to the local windows 2k machine. But this two cases are seperated from each other which means the kerberos authentication use the kerberos password and samba PDC authentication use the smbpasswd. And I can also map(using Ksetup /mapuser) the kerberos user to the local or samba domain user and then do the authentication to the kerberos. So we really want is, when we do the samba PDC authentication we can use the kerberos password. I don't know if it right. PLS correct me . Thank you very much. John Original Message From: Andrew Bartlett Date: Mon 10/28/02 17:24 To: Yongjun Rong Cc: [EMAIL PROTECTED] Subject: Re: Samba and Kerberos(MIT or SEAM, without microsoft ADS) Yongjun Rong wrote: Hi, Andrew, This is John from Texas Tech University.I have read your reply about samba and kerberos. May I ask you some question about samba and Kerberos. 1, Is the samba can use the kerberos(Not with ADS, Just MIT or SEAM in Solaris) as the authentication services and store samba user and passwd in the kerberos database directly but not using OpenLDAP? If you can get the clients to send you a kerberos login without using ADS, then the modification is realitivly simple, and is part of the work towards an Active Directory replacement. 2, If it cannot, I know the samba has support the Kerberos with Microsoft ADS. Where can start to change the source to enable the support for MIT or SEAM in solaris? How can I do it? I have download the source of samba3.0alpha20. And I also have configure the samba as a PDC for my win2k client. You can't do PDC stuff with this kind of setup, not until we get a *lot* more Active Directory work done. 3, You said that samba should support the MIT kerberos. But not at this moment. Did it support keberos in the older version or not? which version? If it was not support. I wish I can do something for it. Thank you very much for your help. John. In a very old version, we used the host keytab. Now we
[Samba] Re: Samba PDC and Kerberos(MIT or SEAM in Uinx, without microsoft ADS)
Hi, Andrew, Thank you very much for your answer. Now our case is as below: 1, our client machine is the windows 2000 2, We want our Kerberos run in the Unix box. 3, We also want the samba as PDC for all windows user and machine. 4, We want integrate the Kerberos Authentication with samba authentication. So in this situation, can we get the kerberos login from the windows 2000 client because the windows 2000 is support kerberos authenctication. If it can, where can I start? I have already setup the environment for windows 2000 client auhtenticating himself to the Kerberos Realm in the Solaris and authenticate the samba domain user to the local windows 2k machine. But this two cases are seperated from each other which means the kerberos authentication use the kerberos password and samba PDC authentication use the smbpasswd. And I can also map(using Ksetup /mapuser) the kerberos user to the local or samba domain user and then do the authentication to the kerberos. So we really want is, when we do the samba PDC authentication we can use the kerberos password. I don't know if it right. PLS correct me . Thank you very much. John Original Message From: Andrew Bartlett Date: Mon 10/28/02 17:24 To: Yongjun Rong Cc: [EMAIL PROTECTED] Subject:Re: Samba and Kerberos(MIT or SEAM, without microsoft ADS) Yongjun Rong wrote: Hi, Andrew, This is John from Texas Tech University.I have read your reply about samba and kerberos. May I ask you some question about samba and Kerberos. 1, Is the samba can use the kerberos(Not with ADS, Just MIT or SEAM in Solaris) as the authentication services and store samba user and passwd in the kerberos database directly but not using OpenLDAP? If you can get the clients to send you a kerberos login without using ADS, then the modification is realitivly simple, and is part of the work towards an Active Directory replacement. 2, If it cannot, I know the samba has support the Kerberos with Microsoft ADS. Where can start to change the source to enable the support for MIT or SEAM in solaris? How can I do it? I have download the source of samba3.0alpha20. And I also have configure the samba as a PDC for my win2k client. You can't do PDC stuff with this kind of setup, not until we get a *lot* more Active Directory work done. 3, You said that samba should support the MIT kerberos. But not at this moment. Did it support keberos in the older version or not? which version? If it was not support. I wish I can do something for it. Thank you very much for your help. John. In a very old version, we used the host keytab. Now we use our own secrets.tdb file, which we maintain. This is becouse in an ADS environment, we need to do both NT authentication and Kerberos. Please put questions to the list, so that others may see the replies. CC me if you want me to actually read it however :-) Andrew Bartlett -- Andrew Bartlett [EMAIL PROTECTED] Manager, Authentication Subsystems, Samba Team [EMAIL PROTECTED] Student Network Administrator, Hawker College [EMAIL PROTECTED] http://samba.org http://build.samba.org http://hawkerc.net -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Re: Samba PDC and Kerberos(MIT or SEAM in Uinx, without microsoft ADS)
Here what you could use: LDAP with Kerberos password backend. Samba 2.2.6 PDC with LDAP backend. Windows passwords are stored in LDAP in samba object, not in Kerberos KDC since they use incompatible encryption methods. Use Kerberos passwords as primary source and synchronize Windows passwords with them when user changes his password or administrator reset it. This setup will allow to use the same password across the board for Unix shell access and email (via pam_ldap, nss_ldap and pam_krb5) and for Windows access (via Samba PDC), and the same name space will be used everywhere (via LDAP), so no mapping needed. Of course it will require quite a few scripts to synchronize passwords, create users in LDAP and Kerberos, etc. But it works... Yongjun Rong wrote: Hi, Andrew, Thank you very much for your answer. Now our case is as below: 1, our client machine is the windows 2000 2, We want our Kerberos run in the Unix box. 3, We also want the samba as PDC for all windows user and machine. 4, We want integrate the Kerberos Authentication with samba authentication. So in this situation, can we get the kerberos login from the windows 2000 client because the windows 2000 is support kerberos authenctication. If it can, where can I start? I have already setup the environment for windows 2000 client auhtenticating himself to the Kerberos Realm in the Solaris and authenticate the samba domain user to the local windows 2k machine. But this two cases are seperated from each other which means the kerberos authentication use the kerberos password and samba PDC authentication use the smbpasswd. And I can also map(using Ksetup /mapuser) the kerberos user to the local or samba domain user and then do the authentication to the kerberos. So we really want is, when we do the samba PDC authentication we can use the kerberos password. I don't know if it right. PLS correct me . Thank you very much. John Original Message From: Andrew Bartlett Date: Mon 10/28/02 17:24 To: Yongjun Rong Cc: [EMAIL PROTECTED] Subject:Re: Samba and Kerberos(MIT or SEAM, without microsoft ADS) Yongjun Rong wrote: Hi, Andrew, This is John from Texas Tech University.I have read your reply about samba and kerberos. May I ask you some question about samba and Kerberos. 1, Is the samba can use the kerberos(Not with ADS, Just MIT or SEAM in Solaris) as the authentication services and store samba user and passwd in the kerberos database directly but not using OpenLDAP? If you can get the clients to send you a kerberos login without using ADS, then the modification is realitivly simple, and is part of the work towards an Active Directory replacement. 2, If it cannot, I know the samba has support the Kerberos with Microsoft ADS. Where can start to change the source to enable the support for MIT or SEAM in solaris? How can I do it? I have download the source of samba3.0alpha20. And I also have configure the samba as a PDC for my win2k client. You can't do PDC stuff with this kind of setup, not until we get a *lot* more Active Directory work done. 3, You said that samba should support the MIT kerberos. But not at this moment. Did it support keberos in the older version or not? which version? If it was not support. I wish I can do something for it. Thank you very much for your help. John. In a very old version, we used the host keytab. Now we use our own secrets.tdb file, which we maintain. This is becouse in an ADS environment, we need to do both NT authentication and Kerberos. Please put questions to the list, so that others may see the replies. CC me if you want me to actually read it however :-) Andrew Bartlett -- Andrew Bartlett [EMAIL PROTECTED] Manager, Authentication Subsystems, Samba Team [EMAIL PROTECTED] Student Network Administrator, Hawker College [EMAIL PROTECTED] http://samba.org http://build.samba.org http://hawkerc.net -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba