RE: [Samba] Re: domain groups accessing samba share

2003-10-15 Thread Gavin Davenport
Hiya Tim, Thanks for helping.


Can you post your
smb.conf 
/etc/pam.d/login
wbinfo -g
wbinfo -u
getent passwd
getent group

Here we go:
# Global parameters
[global]
workgroup = MYDOMAIN
realm = MYNETWORK.ISP.CO.UK
server string = Linux Samba Server
security = ADS
password server = bashful
log level = 3
log file = /var/log/samba/log.%m
max log size = 100
smb ports = 445
announce as = NT Workstation
name resolve order = host bcast
wins server = 10.0.0.104
client signing = Yes
server signing = Yes
client use spnego = Yes
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
load printers = No
os level = 10
preferred master = No
local master = No
domain master = No
dns proxy = No
idmap uid = 1-2
idmap gid = 1-2
template shell = /bin/bash
#   winbind separator = +
winbind cache time = 2
#   winbind use default domain = Yes
comment = Redhat 7.1 Samba
hosts allow = 127., 10.0.0.

[homes]
comment = Home Directories
read only = No
browseable = No

[Software]
comment = Software Library
path = /mnt/largeprimary/software
#   valid users = @MYNETWORK.ISP.CO.UK\Domain Users
#   Admin users = @MYNETWORK.ISP.CO.UK\gavdav

[EMAIL PROTECTED] /root]# more /etc/pam.d/login
#%PAM-1.0
auth   required /lib/security/pam_securetty.so
auth   required /lib/security/pam_stack.so service=system-auth
auth   required /lib/security/pam_nologin.so
accountrequired /lib/security/pam_stack.so service=system-auth
password   required /lib/security/pam_stack.so service=system-auth
sessionrequired /lib/security/pam_stack.so service=system-auth
sessionoptional /lib/security/pam_console.so

wbinfo -u
[EMAIL PROTECTED] /root]# wbinfo -u
MYDOMAIN\gavdav
MYDOMAIN\Guest
MYDOMAIN\Administrator
MYDOMAIN\krbtgt
MYDOMAIN\SUPPORT_388945a0
MYDOMAIN\fbloggs
snip

wbinfo -g
[EMAIL PROTECTED] /root]# wbinfo -g
MYDOMAIN\Domain Computers
MYDOMAIN\Cert Publishers
MYDOMAIN\Domain Users
MYDOMAIN\Domain Guests
MYDOMAIN\RAS and IAS Servers
MYDOMAIN\Group Policy Creator Owners
MYDOMAIN\Schema Admins
MYDOMAIN\Enterprise Admins
MYDOMAIN\Domain Admins
MYDOMAIN\Domain Controllers
snip

[EMAIL PROTECTED] /root]# getent passwd
root:x:0:0:root:/root:/bin/bash
snip
xfs:x:43:43:X Font Server:/etc/X11/fs:/bin/false
gdm:x:42:42::/home/gdm:/bin/bash
gavdav:x:500:500:Gavin Davenport:/home/gavdav:/bin/bash
named:x:200:200:Nameserver:/var/named:/bin/false
vcsa:x:69:69:virtual console memory owner:/dev:/sbin/nologin

[EMAIL PROTECTED] /root]# getent group
root:x:0:root
snip
nobody:x:99:
users:x:100:gavdav
snip
xfs:x:43:
gdm:x:42:
gavdav:x:500:
vcsa:x:69:

getent and setent are listing local users and groups.

What do I need to change in /etc/pam.d/login to fix it ?
Where should I be looking for help ?

Thanks very much

Gavin Davenport
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  http://lists.samba.org/mailman/listinfo/samba


FW: [Samba] Re: domain groups accessing samba share

2003-10-15 Thread VR-Bug Support


-Original Message-
From: VR-Bug Support 
Sent: 15 October 2003 13:42
To: 'Gavin Davenport'
Subject: RE: [Samba] Re: domain groups accessing samba share


Hi Gavin,

This is what I have for my /etc/pam.d/login

#%PAM-1.0
auth   required pam_securetty.so
auth   sufficient   /lib/security/pam_winbind.so
auth   sufficient   /lib/security/pam_unix.so nodelay use_first_pass
auth   sufficient   /lib/security/pam_krb5.so
auth   required pam_stack.so service=system-auth
auth   required pam_nologin.so
accountsufficient   /lib/security/pam_winbind.so
accountsufficient   /lib/security/pam_krb5.so
accountrequired pam_stack.so service=system-auth
password   required pam_stack.so service=system-auth
sessionrequired pam_stack.so service=system-auth
sessionoptional pam_console.so

And when I issue getent group or getent passwd it lists both local and ADS users.

Regards,

Luke


-Original Message-
From: Gavin Davenport [mailto:[EMAIL PROTECTED]
Sent: 15 October 2003 09:05
To: [EMAIL PROTECTED]
Cc: Tim Jordan, Network Services
Subject: RE: [Samba] Re: domain groups accessing samba share


Hiya Tim, Thanks for helping.


Can you post your
smb.conf 
/etc/pam.d/login
wbinfo -g
wbinfo -u
getent passwd
getent group

Here we go:
# Global parameters
[global]
workgroup = MYDOMAIN
realm = MYNETWORK.ISP.CO.UK
server string = Linux Samba Server
security = ADS
password server = bashful
log level = 3
log file = /var/log/samba/log.%m
max log size = 100
smb ports = 445
announce as = NT Workstation
name resolve order = host bcast
wins server = 10.0.0.104
client signing = Yes
server signing = Yes
client use spnego = Yes
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
load printers = No
os level = 10
preferred master = No
local master = No
domain master = No
dns proxy = No
idmap uid = 1-2
idmap gid = 1-2
template shell = /bin/bash
#   winbind separator = +
winbind cache time = 2
#   winbind use default domain = Yes
comment = Redhat 7.1 Samba
hosts allow = 127., 10.0.0.

[homes]
comment = Home Directories
read only = No
browseable = No

[Software]
comment = Software Library
path = /mnt/largeprimary/software
#   valid users = @MYNETWORK.ISP.CO.UK\Domain Users
#   Admin users = @MYNETWORK.ISP.CO.UK\gavdav

[EMAIL PROTECTED] /root]# more /etc/pam.d/login
#%PAM-1.0
auth   required /lib/security/pam_securetty.so
auth   required /lib/security/pam_stack.so service=system-auth
auth   required /lib/security/pam_nologin.so
accountrequired /lib/security/pam_stack.so service=system-auth
password   required /lib/security/pam_stack.so service=system-auth
sessionrequired /lib/security/pam_stack.so service=system-auth
sessionoptional /lib/security/pam_console.so

wbinfo -u
[EMAIL PROTECTED] /root]# wbinfo -u
MYDOMAIN\gavdav
MYDOMAIN\Guest
MYDOMAIN\Administrator
MYDOMAIN\krbtgt
MYDOMAIN\SUPPORT_388945a0
MYDOMAIN\fbloggs
snip

wbinfo -g
[EMAIL PROTECTED] /root]# wbinfo -g
MYDOMAIN\Domain Computers
MYDOMAIN\Cert Publishers
MYDOMAIN\Domain Users
MYDOMAIN\Domain Guests
MYDOMAIN\RAS and IAS Servers
MYDOMAIN\Group Policy Creator Owners
MYDOMAIN\Schema Admins
MYDOMAIN\Enterprise Admins
MYDOMAIN\Domain Admins
MYDOMAIN\Domain Controllers
snip

[EMAIL PROTECTED] /root]# getent passwd
root:x:0:0:root:/root:/bin/bash
snip
xfs:x:43:43:X Font Server:/etc/X11/fs:/bin/false
gdm:x:42:42::/home/gdm:/bin/bash
gavdav:x:500:500:Gavin Davenport:/home/gavdav:/bin/bash
named:x:200:200:Nameserver:/var/named:/bin/false
vcsa:x:69:69:virtual console memory owner:/dev:/sbin/nologin

[EMAIL PROTECTED] /root]# getent group
root:x:0:root
snip
nobody:x:99:
users:x:100:gavdav
snip
xfs:x:43:
gdm:x:42:
gavdav:x:500:
vcsa:x:69:

getent and setent are listing local users and groups.

What do I need to change in /etc/pam.d/login to fix it ?
Where should I be looking for help ?

Thanks very much

Gavin Davenport
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  http://lists.samba.org/mailman/listinfo/samba

_
This e-mail and all attachments have been scanned by the HighSpeed Office virus 
scanning service powered by MessageLabs and no known viruses were detected.

__
Any views or opinions expressed in this e-mail are solely those of the author and do 
not necessarily represent those of ENDEMOL UK plc unless specifically stated.
This email and the information it contains are confidential and intended solely for 
the use of the individual or entity to which it is addressed. If you have

RE: [Samba] Re: domain groups accessing samba share

2003-10-15 Thread Gavin Davenport
Ok - I replaced my /etc/pam.d/login with the one you've posted.

getent still lists me just local machine users and groups.

Trying to attach to the machine results in this in the hosts samba log:

  Doing spnego session setup
  NativeOS=[Windows 2002 2600 Service Pack 1] NativeLanMan=[Windows 2002
5.1]
  Got OID 1 2 840 48018 1 2 2
  Got OID 1 2 840 113554 1 2 2
  Got OID 1 3 6 1 4 1 311 2 2 10
  Got secblob of size 1235
  Ticket name is [EMAIL PROTECTED]
  Username gavdav is invalid on this system
  error string = No such file or directory
  error packet at smbd/sesssetup.c(220) cmd=115 (SMBsesssetupX)
NT_STATUS_LOGON_FAILURE
  timeout_processing: End of file from client (client has disconnected).
  setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
  Closing connections
  Yielding connection to
  yield_connection: tdb_delete for name  failed with error Record does not
exist.
  Server exit (normal exit)

Still stuck - what should I have in /etc/pam_smb.conf, and
/etc/pam.d/system-auth ??

smb.conf now:
# Global parameters
[global]
workgroup = MYDOMAIN
realm = MYNETWORK.ISP.CO.UK
server string = Revolver
security = ADS
password server = bashful
log level = 3
log file = /var/log/samba/log.%m
max log size = 100
smb ports = 139 445
announce as = NT Workstation
name resolve order = host bcast
client signing = Yes
server signing = Yes
client use spnego = Yes
use spnego = Yes
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
load printers = No
os level = 10
preferred master = No
local master = No
domain master = No
dns proxy = No
idmap uid = 1-2
idmap gid = 1-2
template shell = /bin/bash
winbind separator = +
winbind cache time = 2
winbind use default domain = Yes
template homedir = /home/%D/%U
template shell = /bin/bash
winbind enum users = yes
winbind enum groups = yeS
comment = Redhat 8.0 Samba
hosts allow = 127., 10.0.0.

[homes]
comment = Home Directories
read only = No
browseable = No

[usr-local]
path = /usr/local
read only = Yes
valid users = @MYNETWORK.ISP.CO.UK\Domain Users
Admin users = @MYNETWORK.ISP.CO.UK\gavdav

###
Re: domain groups accessing samba share


Hi Gavin,

This is what I have for my /etc/pam.d/login

#%PAM-1.0
auth   required pam_securetty.so
auth   sufficient   /lib/security/pam_winbind.so
auth   sufficient   /lib/security/pam_unix.so nodelay use_first_pass
auth   sufficient   /lib/security/pam_krb5.so
auth   required pam_stack.so service=system-auth
auth   required pam_nologin.so
accountsufficient   /lib/security/pam_winbind.so
accountsufficient   /lib/security/pam_krb5.so
accountrequired pam_stack.so service=system-auth
password   required pam_stack.so service=system-auth
sessionrequired pam_stack.so service=system-auth
sessionoptional pam_console.so

And when I issue getent group or getent passwd it lists both local and ADS
users.

Regards,

Luke


-Original Message-
From: Gavin Davenport [mailto:[EMAIL PROTECTED]
Sent: 15 October 2003 09:05
To: [EMAIL PROTECTED]
Cc: Tim Jordan, Network Services
Subject: RE: [Samba] Re: domain groups accessing samba share


Hiya Tim, Thanks for helping.


Can you post your
smb.conf
/etc/pam.d/login
wbinfo -g
wbinfo -u
getent passwd
getent group

Here we go:
# Global parameters
[global]
workgroup = MYDOMAIN
realm = MYNETWORK.ISP.CO.UK
server string = Linux Samba Server
security = ADS
password server = bashful
log level = 3
log file = /var/log/samba/log.%m
max log size = 100
smb ports = 445
announce as = NT Workstation
name resolve order = host bcast
wins server = 10.0.0.104
client signing = Yes
server signing = Yes
client use spnego = Yes
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
load printers = No
os level = 10
preferred master = No
local master = No
domain master = No
dns proxy = No
idmap uid = 1-2
idmap gid = 1-2
template shell = /bin/bash
#   winbind separator = +
winbind cache time = 2
#   winbind use default domain = Yes
comment = Redhat 7.1 Samba
hosts allow = 127., 10.0.0.

[homes]
comment = Home Directories
read only = No
browseable = No

[Software]
comment = Software Library
path = /mnt/largeprimary/software
#   valid users = @MYNETWORK.ISP.CO.UK\Domain Users
#   Admin users = @MYNETWORK.ISP.CO.UK\gavdav

[EMAIL PROTECTED] /root]# more /etc/pam.d/login
#%PAM-1.0

Re: [Samba] Re: domain groups accessing samba share

2003-10-15 Thread Rich Webb
- Original Message - 
From: Gavin Davenport [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Sent: Wednesday, October 15, 2003 12:14 PM
Subject: RE: [Samba] Re: domain groups accessing samba share


 Ok - I replaced my /etc/pam.d/login with the one you've posted.
 
 getent still lists me just local machine users and groups.
 

Do you have the following in your /etc/nsswitch.conf:

passwdfileswinbind
groupfileswinbind
shadowfiles

Rich
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  http://lists.samba.org/mailman/listinfo/samba


RE: [Samba] Re: domain groups accessing samba share

2003-10-14 Thread Gavin Davenport
Hi there

Make this:
valid users = @LABOR\domain admins

 write list = @LABOR\domain admins
write useres = @LABOR\domain admins

What if the domain user doesn't have a local user on the unix machine ?

How do I get round that ??


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]
Behalf Of John H Terpstra
Sent: 14 October 2003 02:18
To: Tim Jordan, Network Services
Cc: [EMAIL PROTECTED]
Subject: [Samba] Re: domain groups accessing samba share


On Mon, 13 Oct 2003, Tim Jordan, Network Services wrote:

 Hey John,
 I've been working on this most the day.  Just can't seem to nail it
 down!  (Yes sir I did read the How To)
 Winbind is working fine - I can:
 wbinfo -g
 wbinfo -u
 getent passwd
 getent group

 Problem is when I try to use a domain group on a Samba share I get a
 username and password prompt; although, nothing seems to get me in!

 Please advise

 #Samba 3.0 running under Gentoo1.4
 [global]
 workgroup = LABOR
 realm = LABOR.AK
 server string = Samba3 on ANC-Gentoo1.4
 security = ADS
 password server = passwordserver
 log file = /usr/local/samba/var/log.%m
 max log size = 50
 socket options = SO_RCVBUF=8192 SO_SNDBUF=8192
 os level = 0
 preferred master = No
 local master = No
 domain master = No
 dns proxy = No
 wins server = win_server_ip
 idmap uid = 1-2
 idmap gid = 1-2
 template homedir = /home/winnt/%D/%U
 template shell = /bin/bash

 [Linux Software]
 comment = Open Source Software
 path = /home/tim/Linux Software
 valid users = @LABOR\domain admins

 read only = No





-- 
John H Terpstra
Email: [EMAIL PROTECTED]
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  http://lists.samba.org/mailman/listinfo/samba

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  http://lists.samba.org/mailman/listinfo/samba


Re: [Samba] Re: domain groups accessing samba share

2003-10-14 Thread Rich Webb

- Original Message - 
From: Gavin Davenport [EMAIL PROTECTED]
To: John H Terpstra [EMAIL PROTECTED]
Cc: [EMAIL PROTECTED]
Sent: Tuesday, October 14, 2003 4:13 AM
Subject: RE: [Samba] Re: domain groups accessing samba share


 Hi there

 Make this:
 valid users = @LABOR\domain admins

  write list = @LABOR\domain admins
 write useres = @LABOR\domain admins

 What if the domain user doesn't have a local user on the unix machine ?

 How do I get round that ??

That is where winbind comes in.  You use winbind to allow your domain users
from your NT/2k server to be seen by the samba box as normal unix users.

Rich

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  http://lists.samba.org/mailman/listinfo/samba


[Samba] Re: domain groups accessing samba share

2003-10-13 Thread John H Terpstra
On Mon, 13 Oct 2003, Tim Jordan, Network Services wrote:

 Hey John,
 I've been working on this most the day.  Just can't seem to nail it
 down!  (Yes sir I did read the How To)
 Winbind is working fine - I can:
 wbinfo -g
 wbinfo -u
 getent passwd
 getent group

 Problem is when I try to use a domain group on a Samba share I get a
 username and password prompt; although, nothing seems to get me in!

 Please advise

 #Samba 3.0 running under Gentoo1.4
 [global]
 workgroup = LABOR
 realm = LABOR.AK
 server string = Samba3 on ANC-Gentoo1.4
 security = ADS
 password server = passwordserver
 log file = /usr/local/samba/var/log.%m
 max log size = 50
 socket options = SO_RCVBUF=8192 SO_SNDBUF=8192
 os level = 0
 preferred master = No
 local master = No
 domain master = No
 dns proxy = No
 wins server = win_server_ip
 idmap uid = 1-2
 idmap gid = 1-2
 template homedir = /home/winnt/%D/%U
 template shell = /bin/bash

 [Linux Software]
 comment = Open Source Software
 path = /home/tim/Linux Software
 valid users = @LABOR\domain admins
Make this:
valid users = @LABOR\domain admins

 write list = @LABOR\domain admins
write useres = @LABOR\domain admins

- John T.

 read only = No





-- 
John H Terpstra
Email: [EMAIL PROTECTED]
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  http://lists.samba.org/mailman/listinfo/samba