Re: [Samba] Samba+LDAP + Primary GIDs

2010-01-29 Thread Kris Lou 
ldap.conf/nsswitch.conf/ldap.secrets all exist.

Something might be wrong with the set up on the PDC side - when I run "net
groupmap list" , all of my mappings correctly show up.  But when I run a
"net rpc group list" on the PDC, only 2 groups (most recently created) are
displayed.

Kris Lou
k...@themusiclink.net


On Fri, Jan 29, 2010 at 2:20 PM, Rob Shinn wrote:

> Kris Lou wrote:
>
>> PDC Results:
>> SID for local machine KIF is: S-1-5-21-1297059763-2273326489-166094
>> SID for domain MLC is: S-1-5-21-957249707-1866601452-441284377
>>
>> Openfiler Results:
>> SID for local machine VADER is: S-1-5-21-2859034502-3981372097-2611941478
>> SID for domain MLC is: S-1-5-21-957249707-1866601452-441284377
>>
>> As you can see, the domain SIDs match.
>>
>> Also, here's the global portion of the Openfiler smb.conf and an example
>> share (portions edited). About this - I can obviously edit the smb.conf, but
>> it gets overwritten by the Openfiler gui whenever changes are made.  Looking
>> at the file, I'm not understanding where the group security settings are
>> being placed.  It looks like Openfiler runs with Samba 3.2.13
>>
>
> Is nss-ldap installed on the Openfiler?  If so, is it pointing to the LDAP
> server on the Samba+LDAP machine?
>
>
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Samba+LDAP + Primary GIDs

2010-01-29 Thread Rob Shinn 

Kris Lou wrote:

PDC Results:
SID for local machine KIF is: S-1-5-21-1297059763-2273326489-166094
SID for domain MLC is: S-1-5-21-957249707-1866601452-441284377

Openfiler Results:
SID for local machine VADER is: S-1-5-21-2859034502-3981372097-2611941478
SID for domain MLC is: S-1-5-21-957249707-1866601452-441284377

As you can see, the domain SIDs match.

Also, here's the global portion of the Openfiler smb.conf and an 
example share (portions edited). About this - I can obviously edit the 
smb.conf, but it gets overwritten by the Openfiler gui whenever 
changes are made.  Looking at the file, I'm not understanding where 
the group security settings are being placed.  It looks like Openfiler 
runs with Samba 3.2.13


Is nss-ldap installed on the Openfiler?  If so, is it pointing to the 
LDAP server on the Samba+LDAP machine?


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Samba+LDAP + Primary GIDs

2010-01-25 Thread Kris Lou 
PDC Results:
SID for local machine KIF is: S-1-5-21-1297059763-2273326489-166094
SID for domain MLC is: S-1-5-21-957249707-1866601452-441284377

Openfiler Results:
SID for local machine VADER is: S-1-5-21-2859034502-3981372097-2611941478
SID for domain MLC is: S-1-5-21-957249707-1866601452-441284377

As you can see, the domain SIDs match.

Also, here's the global portion of the Openfiler smb.conf and an example
share (portions edited). About this - I can obviously edit the smb.conf, but
it gets overwritten by the Openfiler gui whenever changes are made.  Looking
at the file, I'm not understanding where the group security settings are
being placed.  It looks like Openfiler runs with Samba 3.2.13

# Global settings
[global]

workgroup = MLC
server string = Openfiler NAS
netbios name = VADER
wins server = pdc.ip.add.ress  //edited
password server = pdc.ip.add.ress   //edited
realm =
; interfaces = 192.168.12.2/24 192.168.13.2/24
; remote announce = 92.168.1.255 192.168.2.44
; domain logons = yes
log file = /var/log/samba/%m.log
max log size = 0
; hosts deny = all
map to guest = Bad User
guest account = ofguest
display charset = LOCALE
unix charset = UTF-8
dos charset = CP850
ldap ssl = no
ldap admin dn =
 //edited
ldap suffix =
 //edited
encrypt passwords = yes
security = user
passdb backend = ldapsam:ldap://pdc.ip.add.ress  //edited
ldap user suffix = ou=People
ldap group suffix = ou=Group
smb passwd file = /etc/samba/smbpasswd
unix password sync = yes
passwd program = /usr/bin/passwd %u
passwd chat = *New*password* %n\n *Retype*new*password* %n\n
*passwd:*all*authentication*tokens*updated*successfully*
pam password change = yes
; username map = /etc/samba/smbusers
obey pam restrictions = yes
load printers = no
domain master = no
local master = no
preferred master = no
os level = 0

[Purchasing]
comment = Purchasing Share
path = /mnt/fileshare/Purchasing/Purchasing
read only = no
writeable = yes
oplocks = yes
level2 oplocks = yes
force security mode = 0
dos filemode = yes
dos filetime resolution = yes
dos filetimes = yes
fake directory create times = yes
browseable = yes
csc policy = manual
share modes = yes
veto oplock files = /*.mdb/*.MDB/*.dbf/*.DBF/
veto files = /*:Zone.Identifier:*/
create mode = 0770
directory mode = 2770
printable = no
guest ok = no
hosts allow =  23.23.23.0/24
hosts readonly allow =
store dos attributes = yes
map acl inherit = yes
vfs objects = shadow_copy




Kris Lou
k...@themusiclink.net


On Sat, Jan 23, 2010 at 3:34 PM, Rob Shinn wrote:

>  What does your 'net getdomainsid' or 'net getlocalsid' output look like?
>
>
> Kris Lou wrote:
>
> Hi Rob,
>
> Thanks for the quick reply - Here it is (mostly with some cut and paste).
>
> CentOS 5.4
> Samba  3.2.15
>
> dn: cn=Domain Admins,ou=Group,dc=themusiclink,dc=net
> description: Netbios Domain Administrators
> sambaSID: S-1-5-21-957249707-1866601452-441284377-512
> sambaGroupType: 2
> displayName: Domain Admins
> structuralObjectClass: posixGroup
> entryUUID: 1a60146c-cfad-102d-96b0-6fd9fc452718
> creatorsName: cn=Manager,dc=themusiclink,dc=net
> createTimestamp: 20090507234700Z
> gidNumber: 512
> cn: Domain Admins
> userPassword:: e2NyeXB0fXg=
> objectClass: posixGroup
> objectClass: top
> objectClass: sambaGroupMapping
> memberUid:
> memberUid:
> memberUid:
> entryCSN: 20091028001757Z#01#00#00
> modifiersName: cn=Manager,dc=themusiclink,dc=net
> modifyTimestamp: 20091028001757Z
>
> dn: cn=Domain Users,ou=Group,dc=themusiclink,dc=net
> description: Netbios Domain Users
> sambaSID: S-1-5-21-957249707-1866601452-441284377-513
> sambaGroupType: 2
> displayName: Domain Users
> structuralObjectClass: posixGroup
> entryUUID: 1a7ebb60-cfad-102d-96b1-6fd9fc452718
> creatorsName: cn=Manager,dc=themusiclink,dc=net
> createTimestamp: 20090507234700Z
> gidNumber: 513
> cn: Domain Users
> userPassword:: e2NyeXB0fXg=
> objectClass: posixGroup
> objectClass: top
> objectClass: sambaGroupMapping
> memberUid:
> memberUid:
> entryCSN: 20091215225639Z#01#00#00
> modifiersName: cn=Manager,dc=themusiclink,dc=net
> modifyTimestamp: 20091215225639Z
>
> dn: cn=Domain Guests,ou=Group,dc=themusiclink,dc=net
> description: Netbios Domain Guests Users
> sambaSID: S-1-5-21-957249707-1866601452-441284377-514
> sambaGroupType: 2
> displayName: Domain Guests
> structuralObjectClass: posixGroup
> entryUUID: 1a845502-cfad-102d-96b2-6fd9fc452718
> creatorsName: cn=Manager,dc=themusiclink,dc=net
> createTimestamp: 20090507234700Z
> objectClass: posixGroup
> objectClass: top
> objectClass: sambaGroupMapping
> gidNumber: 514
> cn: Domain Guests
> userPassword:: e2NyeXB0fXg=
> memberUid: design
> memberUid: fedex
> memberUid: infobox
> memberUid: mailbox
> memberUid: test
> entryCSN: 20090521203023Z#0

Re: [Samba] Samba+LDAP + Primary GIDs

2010-01-23 Thread Rob Shinn 

What does your 'net getdomainsid' or 'net getlocalsid' output look like?

Kris Lou wrote:

Hi Rob,

Thanks for the quick reply - Here it is (mostly with some cut and paste).

CentOS 5.4
Samba  3.2.15

dn: cn=Domain Admins,ou=Group,dc=themusiclink,dc=net
description: Netbios Domain Administrators
sambaSID: S-1-5-21-957249707-1866601452-441284377-512
sambaGroupType: 2
displayName: Domain Admins
structuralObjectClass: posixGroup
entryUUID: 1a60146c-cfad-102d-96b0-6fd9fc452718
creatorsName: cn=Manager,dc=themusiclink,dc=net
createTimestamp: 20090507234700Z
gidNumber: 512
cn: Domain Admins
userPassword:: e2NyeXB0fXg=
objectClass: posixGroup
objectClass: top
objectClass: sambaGroupMapping
memberUid:
memberUid:
memberUid:
entryCSN: 20091028001757Z#01#00#00
modifiersName: cn=Manager,dc=themusiclink,dc=net
modifyTimestamp: 20091028001757Z

dn: cn=Domain Users,ou=Group,dc=themusiclink,dc=net
description: Netbios Domain Users
sambaSID: S-1-5-21-957249707-1866601452-441284377-513
sambaGroupType: 2
displayName: Domain Users
structuralObjectClass: posixGroup
entryUUID: 1a7ebb60-cfad-102d-96b1-6fd9fc452718
creatorsName: cn=Manager,dc=themusiclink,dc=net
createTimestamp: 20090507234700Z
gidNumber: 513
cn: Domain Users
userPassword:: e2NyeXB0fXg=
objectClass: posixGroup
objectClass: top
objectClass: sambaGroupMapping
memberUid:
memberUid:
entryCSN: 20091215225639Z#01#00#00
modifiersName: cn=Manager,dc=themusiclink,dc=net
modifyTimestamp: 20091215225639Z

dn: cn=Domain Guests,ou=Group,dc=themusiclink,dc=net
description: Netbios Domain Guests Users
sambaSID: S-1-5-21-957249707-1866601452-441284377-514
sambaGroupType: 2
displayName: Domain Guests
structuralObjectClass: posixGroup
entryUUID: 1a845502-cfad-102d-96b2-6fd9fc452718
creatorsName: cn=Manager,dc=themusiclink,dc=net
createTimestamp: 20090507234700Z
objectClass: posixGroup
objectClass: top
objectClass: sambaGroupMapping
gidNumber: 514
cn: Domain Guests
userPassword:: e2NyeXB0fXg=
memberUid: design
memberUid: fedex
memberUid: infobox
memberUid: mailbox
memberUid: test
entryCSN: 20090521203023Z#02#00#00
modifiersName: cn=Manager,dc=themusiclink,dc=net
modifyTimestamp: 20090521203023Z

dn: cn=Domain Computers,ou=Group,dc=themusiclink,dc=net
objectClass: top
objectClass: posixGroup
objectClass: sambaGroupMapping
gidNumber: 515
cn: Domain Computers
description: Netbios Domain Computers accounts
sambaSID: S-1-5-21-957249707-1866601452-441284377-515
sambaGroupType: 2
displayName: Domain Computers
structuralObjectClass: posixGroup
entryUUID: 1a8ab492-cfad-102d-96b3-6fd9fc452718
creatorsName: cn=Manager,dc=themusiclink,dc=net
createTimestamp: 20090507234700Z
entryCSN: 20090507234700Z#04#00#00
modifiersName: cn=Manager,dc=themusiclink,dc=net
modifyTimestamp: 20090507234700Z

dn: cn=Administrators,ou=Group,dc=themusiclink,dc=net
description: Netbios Domain Members can fully administer the computer/sambaDom
 ainName
sambaSID: S-1-5-32-544
sambaGroupType: 5
displayName: Administrators
structuralObjectClass: posixGroup
entryUUID: 1a905d16-cfad-102d-96b4-6fd9fc452718
creatorsName: cn=Manager,dc=themusiclink,dc=net
createTimestamp: 20090507234700Z
objectClass: top
objectClass: posixGroup
objectClass: sambaGroupMapping
gidNumber: 544
cn: Administrators
userPassword:
memberUid: administrator
memberUid: root
entryCSN: 20090516003337Z#01#00#00
modifiersName: cn=Manager,dc=themusiclink,dc=net
modifyTimestamp: 20090516003337Z

dn: sambaDomainName=MLC,dc=themusiclink,dc=net
objectClass: top
objectClass: sambaDomain
objectClass: sambaUnixIdPool
sambaDomainName: MLC
sambaSID: S-1-5-21-957249707-1866601452-441284377
structuralObjectClass: sambaDomain
entryUUID: 1aab5d3c-cfad-102d-96b9-6fd9fc452718
creatorsName: cn=Manager,dc=themusiclink,dc=net
createTimestamp: 20090507234701Z
sambaLockoutThreshold: 0
sambaRefuseMachinePwdChange: 0
sambaMinPwdLength: 5
sambaLogonToChgPwd: 0
sambaForceLogoff: -1
sambaMinPwdAge: 0
sambaMaxPwdAge: -1
sambaPwdHistoryLength: 0
gidNumber: 1033
uidNumber: 1043
sambaNextRid: 1100
entryCSN: 20100104223853Z#02#00#00
modifiersName: cn=Manager,dc=themusiclink,dc=net
modifyTimestamp: 20100104223853Z

n: cn=TML.Accounting,ou=Group,dc=themusiclink,dc=net
objectClass: posixGroup
objectClass: top
objectClass: sambaGroupMapping
cn: TML.Accounting
userPassword:: e2NyeXB0fXg=
gidNumber: 1145
structuralObjectClass: posixGroup
entryUUID: 90185732-cfad-102d-97b9-6fd9fc452718
creatorsName: cn=Manager,dc=themusiclink,dc=net
createTimestamp: 20090507235018Z
sambaSID: S-1-5-21-957249707-1866601452-441284377-1011
sambaGroupType: 2
displayName: TML Accounting
description: Domain Unix group
memberUid: mailman
memberUid: mtong
memberUid: psmith
memberUid: spatrino
memberUid: klou
memberUid: tocampo
entryCSN: 20091202193050Z#03#00#00
modifiersName: cn=Manager,dc=themusiclink,dc=net
modifyTimestamp: 20091202193050Z

dn: cn=TML.CustomerService,ou=Group,dc=themusiclink,dc=net
objectClass: posixGroup
objectClass: top
objectClass: sambaGroup

Re: [Samba] Samba+LDAP + Primary GIDs

2010-01-18 Thread Kris Lou 
Hi Rob,

Thanks for the quick reply - Here it is (mostly with some cut and paste).

CentOS 5.4
Samba  3.2.15

dn: cn=Domain Admins,ou=Group,dc=themusiclink,dc=net
description: Netbios Domain Administrators
sambaSID: S-1-5-21-957249707-1866601452-441284377-512
sambaGroupType: 2
displayName: Domain Admins
structuralObjectClass: posixGroup
entryUUID: 1a60146c-cfad-102d-96b0-6fd9fc452718
creatorsName: cn=Manager,dc=themusiclink,dc=net
createTimestamp: 20090507234700Z
gidNumber: 512
cn: Domain Admins
userPassword:: e2NyeXB0fXg=
objectClass: posixGroup
objectClass: top
objectClass: sambaGroupMapping
memberUid:
memberUid:
memberUid:
entryCSN: 20091028001757Z#01#00#00
modifiersName: cn=Manager,dc=themusiclink,dc=net
modifyTimestamp: 20091028001757Z

dn: cn=Domain Users,ou=Group,dc=themusiclink,dc=net
description: Netbios Domain Users
sambaSID: S-1-5-21-957249707-1866601452-441284377-513
sambaGroupType: 2
displayName: Domain Users
structuralObjectClass: posixGroup
entryUUID: 1a7ebb60-cfad-102d-96b1-6fd9fc452718
creatorsName: cn=Manager,dc=themusiclink,dc=net
createTimestamp: 20090507234700Z
gidNumber: 513
cn: Domain Users
userPassword:: e2NyeXB0fXg=
objectClass: posixGroup
objectClass: top
objectClass: sambaGroupMapping
memberUid:
memberUid:
entryCSN: 20091215225639Z#01#00#00
modifiersName: cn=Manager,dc=themusiclink,dc=net
modifyTimestamp: 20091215225639Z

dn: cn=Domain Guests,ou=Group,dc=themusiclink,dc=net
description: Netbios Domain Guests Users
sambaSID: S-1-5-21-957249707-1866601452-441284377-514
sambaGroupType: 2
displayName: Domain Guests
structuralObjectClass: posixGroup
entryUUID: 1a845502-cfad-102d-96b2-6fd9fc452718
creatorsName: cn=Manager,dc=themusiclink,dc=net
createTimestamp: 20090507234700Z
objectClass: posixGroup
objectClass: top
objectClass: sambaGroupMapping
gidNumber: 514
cn: Domain Guests
userPassword:: e2NyeXB0fXg=
memberUid: design
memberUid: fedex
memberUid: infobox
memberUid: mailbox
memberUid: test
entryCSN: 20090521203023Z#02#00#00
modifiersName: cn=Manager,dc=themusiclink,dc=net
modifyTimestamp: 20090521203023Z

dn: cn=Domain Computers,ou=Group,dc=themusiclink,dc=net
objectClass: top
objectClass: posixGroup
objectClass: sambaGroupMapping
gidNumber: 515
cn: Domain Computers
description: Netbios Domain Computers accounts
sambaSID: S-1-5-21-957249707-1866601452-441284377-515
sambaGroupType: 2
displayName: Domain Computers
structuralObjectClass: posixGroup
entryUUID: 1a8ab492-cfad-102d-96b3-6fd9fc452718
creatorsName: cn=Manager,dc=themusiclink,dc=net
createTimestamp: 20090507234700Z
entryCSN: 20090507234700Z#04#00#00
modifiersName: cn=Manager,dc=themusiclink,dc=net
modifyTimestamp: 20090507234700Z

dn: cn=Administrators,ou=Group,dc=themusiclink,dc=net
description: Netbios Domain Members can fully administer the computer/sambaDom
 ainName
sambaSID: S-1-5-32-544
sambaGroupType: 5
displayName: Administrators
structuralObjectClass: posixGroup
entryUUID: 1a905d16-cfad-102d-96b4-6fd9fc452718
creatorsName: cn=Manager,dc=themusiclink,dc=net
createTimestamp: 20090507234700Z
objectClass: top
objectClass: posixGroup
objectClass: sambaGroupMapping
gidNumber: 544
cn: Administrators
userPassword:
memberUid: administrator
memberUid: root
entryCSN: 20090516003337Z#01#00#00
modifiersName: cn=Manager,dc=themusiclink,dc=net
modifyTimestamp: 20090516003337Z

dn: sambaDomainName=MLC,dc=themusiclink,dc=net
objectClass: top
objectClass: sambaDomain
objectClass: sambaUnixIdPool
sambaDomainName: MLC
sambaSID: S-1-5-21-957249707-1866601452-441284377
structuralObjectClass: sambaDomain
entryUUID: 1aab5d3c-cfad-102d-96b9-6fd9fc452718
creatorsName: cn=Manager,dc=themusiclink,dc=net
createTimestamp: 20090507234701Z
sambaLockoutThreshold: 0
sambaRefuseMachinePwdChange: 0
sambaMinPwdLength: 5
sambaLogonToChgPwd: 0
sambaForceLogoff: -1
sambaMinPwdAge: 0
sambaMaxPwdAge: -1
sambaPwdHistoryLength: 0
gidNumber: 1033
uidNumber: 1043
sambaNextRid: 1100
entryCSN: 20100104223853Z#02#00#00
modifiersName: cn=Manager,dc=themusiclink,dc=net
modifyTimestamp: 20100104223853Z

n: cn=TML.Accounting,ou=Group,dc=themusiclink,dc=net
objectClass: posixGroup
objectClass: top
objectClass: sambaGroupMapping
cn: TML.Accounting
userPassword:: e2NyeXB0fXg=
gidNumber: 1145
structuralObjectClass: posixGroup
entryUUID: 90185732-cfad-102d-97b9-6fd9fc452718
creatorsName: cn=Manager,dc=themusiclink,dc=net
createTimestamp: 20090507235018Z
sambaSID: S-1-5-21-957249707-1866601452-441284377-1011
sambaGroupType: 2
displayName: TML Accounting
description: Domain Unix group
memberUid: mailman
memberUid: mtong
memberUid: psmith
memberUid: spatrino
memberUid: klou
memberUid: tocampo
entryCSN: 20091202193050Z#03#00#00
modifiersName: cn=Manager,dc=themusiclink,dc=net
modifyTimestamp: 20091202193050Z

dn: cn=TML.CustomerService,ou=Group,dc=themusiclink,dc=net
objectClass: posixGroup
objectClass: top
objectClass: sambaGroupMapping
cn: TML.CustomerService
userPassword:: e2NyeXB0fXg=
gidNumber: 1030
structuralObject

Re: [Samba] Samba+LDAP + Primary GIDs

2010-01-18 Thread Rob Shinn 

Kris Lou wrote:

I've checked my ldif's - the groups exist, the users exists as
memberids, but it looks like samba is only checking the gid?
  
Can you post the LDIFs of your groups (you can edit out any 
incriminating evidence ;)?  Sounds like your groups are lacking correct 
sambaSID or sambaGroupType attributes.

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

[Samba] Samba+LDAP + Primary GIDs

2010-01-18 Thread Kris Lou 
Hi List,

This may be more of an LDAP question than a Samba question - if so, let me know!

I have an implementation of samba + openldap, and using that server as
an external ldap server for an Openfiler install.  I've run into
problems with user authentication (WinXP) where either samba or ldap
is only recognizing the user's gid - which as I understand it is the
Primary Group.  However, authentication against any secondary group is
denied.  I've checked the samba logs, and as far as I can tell, uid's
and gid's (primary) are getting passed and authenticated - but no
mention of checking the 2ndary groups.

I've checked my ldif's - the groups exist, the users exists as
memberids, but it looks like samba is only checking the gid?

Is this something that anybody else has seen?

Thanks,

Kris
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] samba+ldap two domains db sync?

2010-01-13 Thread Larry Velez 
Rob,

I am curious if you think an extension of this idea might work to centrally 
control and manage many domains?

Mothership LDAP [Hosted Highly Redundant setup]
- Domain 1 (SyncRepl only portion of LDAP)
- Domain 2 (SyncRepl only portion of LDAP)
...
- Domain 26 (SyncRepl only portion of LDAP)

Ideally each local subnet might also be VPNed up to the mothership so that 
local machines could still authenticate (slowly) if the local PDC were 
unavailable.  Long term each domain would be Samba4 based and fully AD ready.

Would love to discuss this idea with someone familiar with multi-domain setups 
like this.

thanks,

Larry

-Original Message-
From: samba-boun...@lists.samba.org [mailto:samba-boun...@lists.samba.org] On 
Behalf Of Rob Shinn
Sent: Monday, January 11, 2010 9:33 AM
To: Alberto Moreno
Cc: samba@lists.samba.org
Subject: Re: [Samba] samba+ldap two domains db sync?

Alberto Moreno wrote:
> Is possible to sync both ldap servers every time I change something
> in ldap? or a better way to do it?Alberto Moreno wrote:
You could probably do this with OpenLDAP's syncrepl replication
facility.  You may also wish to consider combining everything into one
LDAP database, containing two different Samba domains, with a common OU
for user accounts.  You could keep the LDAP servers as they are, just
set up one as a secondary LDAP server using syncrepl.  That would have
the advantage of centralizing everything and ease user administration,
since users created in one domain would automatically be included in both.

Without knowing the specifics, however, it's hard to say to which way
would be best.


-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] samba+ldap two domains db sync?

2010-01-13 Thread Rob Shinn 

Alberto Moreno wrote:

Is possible to sync both ldap servers every time I change something
in ldap? or a better way to do it?Alberto Moreno wrote:

You could probably do this with OpenLDAP's syncrepl replication
facility.  You may also wish to consider combining everything into one
LDAP database, containing two different Samba domains, with a common OU
for user accounts.  You could keep the LDAP servers as they are, just
set up one as a secondary LDAP server using syncrepl.  That would have
the advantage of centralizing everything and ease user administration,
since users created in one domain would automatically be included in both.

Without knowing the specifics, however, it's hard to say to which way
would be best.


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] samba+ldap two domains db sync?

2010-01-11 Thread Alberto Moreno 
 Thanks people.

  I will read about synrepl and see how it works, thanks all of u for
your tips!!!

  See  u!!!

On Mon, Jan 11, 2010 at 6:49 AM, Rob Shinn  wrote:
> Gaiseric Vandal wrote:
>>
>> I don't think one user in LDAP could be in two different domains-  each
>> user has to have a distinct SambaSID entry.
>>
>
> Ooomph! *slaps forehead*.  You're right.  That's what I get for posting
> before I've had my coffeee.
>
> I stand by my original statement that OpenLDAP's syncrepl would work,
> though.
>
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>



-- 
LIving the dream...
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] samba+ldap two domains db sync?

2010-01-11 Thread Rob Shinn 

Gaiseric Vandal wrote:


I don't think one user in LDAP could be in two different domains-  
each user has to have a distinct SambaSID entry.




Ooomph! *slaps forehead*.  You're right.  That's what I get for posting 
before I've had my coffeee.


I stand by my original statement that OpenLDAP's syncrepl would work, 
though.




--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] samba+ldap two domains db sync?

2010-01-11 Thread Gaiseric Vandal 

On 01/11/10 09:31, Rob Shinn wrote:

Alberto Moreno wrote:

Is possible to sync both ldap servers every time I change something
in ldap? or a better way to do it?Alberto Moreno wrote:
You could probably do this with OpenLDAP's syncrepl replication 
facility.  You may also wish to consider combining everything into one 
LDAP database, containing two different Samba domains, with a common 
OU for user accounts.  You could keep the LDAP servers as they are, 
just set up one as a secondary LDAP server using syncrepl.  That would 
have the advantage of centralizing everything and ease user 
administration, since users created in one domain would automatically 
be included in both.


Without knowing the specifics, however, it's hard to say to which way 
would be best.


I don't think one user in LDAP could be in two different domains-  each 
user has to have a distinct SambaSID entry.


I use Sun's Directory Server for my LDAP backend-  it was already in 
place for another project which is why I went with it rather than with 
OpenLDAP. It supports replication between ldap servers and has a GUI 
for setting up the replication parameters.Although, too be fair, 
there is a bit of a learning curve with this product.




--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] samba+ldap two domains db sync?

2010-01-11 Thread Rob Shinn 

Alberto Moreno wrote:

Is possible to sync both ldap servers every time I change something
in ldap? or a better way to do it?Alberto Moreno wrote:
You could probably do this with OpenLDAP's syncrepl replication 
facility.  You may also wish to consider combining everything into one 
LDAP database, containing two different Samba domains, with a common OU 
for user accounts.  You could keep the LDAP servers as they are, just 
set up one as a secondary LDAP server using syncrepl.  That would have 
the advantage of centralizing everything and ease user administration, 
since users created in one domain would automatically be included in both.


Without knowing the specifics, however, it's hard to say to which way 
would be best.


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

[Samba] samba+ldap two domains db sync?

2010-01-11 Thread Alberto Moreno 
 Hi people.

  I have 2 domains running samba with ldap(Centos 5.x), I would like
to know this.

  I would like to have the same DB in both sites, if I change the
users just would like to do it 1 time.

  Is possible to sync both ldap servers every time I change something
in ldap? or a better way to do it?

  Thanks!!!

-- 
LIving the dream...
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Samba + LDAP: Changing user's group

2009-12-21 Thread davefu 

Bump


Wes Deviers wrote:
> 
> I'm having this same problem, but it's new.  Using 3.4.2 Debian packages, 
> recently upgraded.  I never had any type of LDAP group caching problem
> until 
> the last 2 weeks.  I added a user to an LDAP group as normal because they 
> needed access to a new share.  Cleared the nscd caches as normal.  The
> service 
> definition uses
> 
> force group = +groupName
> valid users = @admins, @groupName
> write list = @admins, @groupName
> 
> All of the people previously in @groupName retain access to the share. 
> The 
> person I just added cannot access it.  getent, groups, etc all return the 
> correct group membership.  If I add the account explicitly to valid users
> & 
> write list, it works as soon as I do an smbd reload.  
> 
> Did some behavior change or have we stumbled on a new bug?
> 
> Wes
> 
> 
> 
> On Monday 30 November 2009 07:29:33 am davefu wrote:
>> 
>> Hi, thanks for answering.
>> 
>> I have only 1 Samba server. When I mentioned changes on groups, I meant
>> on
>> LDAP server. LDAP is used on both system and samba environments. When
>> changing groups on users, those changes are instant on the system
>> environment, but not on Samba.
>> 
>> - I create a new "Folder A", with full permissions for "Group A"
>> - "User B" (belonging to group B), logs via SSH to the server, and can't
>> access the "Folder A".
>> - "User B" logs via Samba using his Windows desktop machine, and can't
>> access the "Folder A" (previously configured inside a Samba Resource).
>> - Now I add "User B" to "Group A" via LDAP. He belongs now to "Group A"
>> and
>> "Group B".
>> - Getent group | grep "User B" shows correctly both groups on the user.
>> - "User B" correctly access "Folder A", write files, etc via console,
>> ssh,
>> or any kind of regular system authentication (since system is using pam
>> libraries, configured to use LDAP as backend).
>> - "User B" still can't access "Folder A" in any way. Samba has cached
>> "User
>> B" credentials, and haven't checked LDAP again for a while. The only
>> option
>> is to restart Samba, or wait randomly until Samba refreshes / syncs LDAP
>> info about that user again.
>> 
>> Hope this little story explains my problem better.
>> Sorry for my english.
>> 
>> Thanks!
>> 
>> 
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
> 
> 

-- 
View this message in context: 
http://old.nabble.com/Samba-%2B-LDAP%3A-Changing-user%27s-group-tp26421317p26870920.html
Sent from the Samba - General mailing list archive at Nabble.com.

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Samba + LDAP: Changing user's group

2009-12-02 Thread Wes Deviers 
I'm having this same problem, but it's new.  Using 3.4.2 Debian packages, 
recently upgraded.  I never had any type of LDAP group caching problem until 
the last 2 weeks.  I added a user to an LDAP group as normal because they 
needed access to a new share.  Cleared the nscd caches as normal.  The service 
definition uses

force group = +groupName
valid users = @admins, @groupName
write list = @admins, @groupName

All of the people previously in @groupName retain access to the share.  The 
person I just added cannot access it.  getent, groups, etc all return the 
correct group membership.  If I add the account explicitly to valid users & 
write list, it works as soon as I do an smbd reload.  

Did some behavior change or have we stumbled on a new bug?

Wes



On Monday 30 November 2009 07:29:33 am davefu wrote:
> 
> Hi, thanks for answering.
> 
> I have only 1 Samba server. When I mentioned changes on groups, I meant on
> LDAP server. LDAP is used on both system and samba environments. When
> changing groups on users, those changes are instant on the system
> environment, but not on Samba.
> 
> - I create a new "Folder A", with full permissions for "Group A"
> - "User B" (belonging to group B), logs via SSH to the server, and can't
> access the "Folder A".
> - "User B" logs via Samba using his Windows desktop machine, and can't
> access the "Folder A" (previously configured inside a Samba Resource).
> - Now I add "User B" to "Group A" via LDAP. He belongs now to "Group A" and
> "Group B".
> - Getent group | grep "User B" shows correctly both groups on the user.
> - "User B" correctly access "Folder A", write files, etc via console, ssh,
> or any kind of regular system authentication (since system is using pam
> libraries, configured to use LDAP as backend).
> - "User B" still can't access "Folder A" in any way. Samba has cached "User
> B" credentials, and haven't checked LDAP again for a while. The only option
> is to restart Samba, or wait randomly until Samba refreshes / syncs LDAP
> info about that user again.
> 
> Hope this little story explains my problem better.
> Sorry for my english.
> 
> Thanks!
> 
> 
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Samba + LDAP: Changing user's group

2009-12-01 Thread davefu 

Hi, thanks for answering.

I have only 1 Samba server. When I mentioned changes on groups, I meant on
LDAP server. LDAP is used on both system and samba environments. When
changing groups on users, those changes are instant on the system
environment, but not on Samba.

- I create a new "Folder A", with full permissions for "Group A"
- "User B" (belonging to group B), logs via SSH to the server, and can't
access the "Folder A".
- "User B" logs via Samba using his Windows desktop machine, and can't
access the "Folder A" (previously configured inside a Samba Resource).
- Now I add "User B" to "Group A" via LDAP. He belongs now to "Group A" and
"Group B".
- Getent group | grep "User B" shows correctly both groups on the user.
- "User B" correctly access "Folder A", write files, etc via console, ssh,
or any kind of regular system authentication (since system is using pam
libraries, configured to use LDAP as backend).
- "User B" still can't access "Folder A" in any way. Samba has cached "User
B" credentials, and haven't checked LDAP again for a while. The only option
is to restart Samba, or wait randomly until Samba refreshes / syncs LDAP
info about that user again.

Hope this little story explains my problem better.
Sorry for my english.

Thanks!


However, 

sato x wrote:
> 
> On Thu, Nov 19, 2009 at 7:28 PM, davefu  wrote:
> 
>>
>> Hello fellas. I'm facing this problem today:
>>
>> My Samba PDC is using LDAP as a backend, and its working really good. The
>> problem comes when I change the groups on one of the users. System shows
>> the
>> change correctly by using 'getent group' and if I log as that user the
>> behavior correct when trying the new group permissions.
>>
>>
> OK.
> 
> 
>> Samba, however, doesn't seem to get those changes immediately (it syncs
>> hours later, totally random amount of time). I've tried disabling NSCD
>> but
>> no luck. I've read somewhere that restarting Samba service forces Samba
>> to
>> refresh the users credentials, but thats not possible to do everytime a
>> user
>> needs a change in his groups. I'm wondering if there is some way to
>> refresh
>> Samba cached credentials.
>>
>>
> Do you mean that you have other samba server (as file server) running and
> uses LDAP as its backend? When you change the group(s), the changing
> doesn't
> affect this file server immediately? If this is the case, I used to reload
> nscd to refresh its cache, since start-stop or restart nscd brings no
> effect
> at all.
> 
> Hope it can help - and pardon my language.
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
> 
> 

-- 
View this message in context: 
http://old.nabble.com/Samba-%2B-LDAP%3A-Changing-user%27s-group-tp26421317p26573907.html
Sent from the Samba - General mailing list archive at Nabble.com.

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Samba + LDAP: Changing user's group

2009-11-30 Thread sato x 
On Thu, Nov 19, 2009 at 7:28 PM, davefu  wrote:

>
> Hello fellas. I'm facing this problem today:
>
> My Samba PDC is using LDAP as a backend, and its working really good. The
> problem comes when I change the groups on one of the users. System shows
> the
> change correctly by using 'getent group' and if I log as that user the
> behavior correct when trying the new group permissions.
>
>
OK.


> Samba, however, doesn't seem to get those changes immediately (it syncs
> hours later, totally random amount of time). I've tried disabling NSCD but
> no luck. I've read somewhere that restarting Samba service forces Samba to
> refresh the users credentials, but thats not possible to do everytime a
> user
> needs a change in his groups. I'm wondering if there is some way to refresh
> Samba cached credentials.
>
>
Do you mean that you have other samba server (as file server) running and
uses LDAP as its backend? When you change the group(s), the changing doesn't
affect this file server immediately? If this is the case, I used to reload
nscd to refresh its cache, since start-stop or restart nscd brings no effect
at all.

Hope it can help - and pardon my language.
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Samba + LDAP error in windows xp while ACL

2009-11-25 Thread D.Rajan 
    184-2ubuntu2    Pluggable 
Authentication Module allowing LDA
ii  php5-ldap 5.2.4-2ubuntu5.3    LDAP 
module for php5
ii  smbldap-tools 0.9.4-1 Scripts 
to manage Unix and Samba accounts st

r...@sangam:~# dpkg -l | grep acl
ii  acl   2.2.45-1    Access 
control list utilities
ii  libacl1   2.2.45-1    Access 
control list shared library

sys...@sangam:~$ cat /etc/lsb-release
DISTRIB_ID=Ubuntu
DISTRIB_RELEASE=8.04
DISTRIB_CODENAME=hardy
DISTRIB_DESCRIPTION="Ubuntu 8.04.1"

 
any logs you from me ?
 
 
 
 
C U Next Mail 
Raj 

Take Care 
HAVE A NICE DAY 

Mobile : 98418 78056 
Office No : 044- 28285571, 512 , 575   
Office No : 044- 30212881

--- On Tue, 17/11/09, vishesh kumar  wrote:


From: vishesh kumar 
Subject: Re: [Samba] Samba + LDAP error in windows xp while ACL
To: "D.Rajan" 
Cc: samba@lists.samba.org
Date: Tuesday, 17 November, 2009, 3:09 PM


Dear rajan
   Did you set ldap admin password for samba by using following command.

root#smbpasswd -w 

By the way you can also use pdbedit -Lv command to ensure samba is 
communicating to ldap properly.

Thanks



On Tue, Nov 17, 2009 at 10:55 AM, D.Rajan  wrote:

Dear All,
 
   What the files i need to be check to solve the problem.  i am having PDC 
& BDC
 
r...@sangam:/var/log/samba# net getlocalsid
SID for domain SANGAM is: S-1-5-21-4020846335-601350461-1468625926

r...@vaigai:~# net getlocalsid
SID for domain VAIGAI is: S-1-5-21-4020846335-601350461-1468625926
 
Error while ACL from windows XP:


ys...@sangam:/var/log/samba$ tailf log.kh-sys-02635
[2009/11/16 19:12:43, 0] printing/print_cups.c:cups_connect(69)
Unable to connect to CUPS server localhost:631 - Connection refused
[2009/11/17 09:32:28, 0] auth/auth_util.c:create_builtin_users(758)
create_builtin_users: Failed to create Users
[2009/11/17 09:32:32, 0] auth/auth_util.c:create_builtin_users(758)
create_builtin_users: Failed to create Users
[2009/11/17 09:32:49, 0] auth/auth_util.c:create_builtin_users(758)
create_builtin_users: Failed to create Users
[2009/11/17 09:32:49, 0] auth/auth_util.c:create_builtin_users(758)
create_builtin_users: Failed to create Users
[2009/11/17 10:26:38, 0] auth/auth_util.c:create_builtin_users(758)
create_builtin_users: Failed to create Users
[2009/11/17 10:27:03, 0] auth/auth_util.c:create_builtin_users(758)
create_builtin_users: Failed to create Users
[2009/11/17 10:27:29, 0] smbd/posix_acls.c:create_canon_ace_lists(1438)
create_canon_ace_lists: unable to map SID 
S-1-5-21-4020846335-601350461-1468625926-3174 to uid or gid.

As per your instruction i convert one systems from our domain to workgroup and 
restart the system and once again i convert to my domain, eventhough i am not 
able to give permission from my system.
 
1. In My client Xp system what i want to check regarding SID infomation ?
2. How to solve the "unable to map SID" error in server.
 
I am having more than 2500 client system.
 
C U Next Mail
Raj

Take Care
HAVE A NICE DAY


--- On Sun, 8/11/09, D.Rajan  wrote:


From: D.Rajan 
Subject: Samba + LDAP error in windows xp while ACL
To: samba@lists.samba.org
Date: Sunday, 8 November, 2009, 6:08 PM







Dear all,
 
 I am using Samba + PDC LDAP in a single server. From last month onward i am 
facing problem
When I set manualy the acl (setfacl -m g:group:rwx the_file)
It's ok, the other domain member see the ACL

But when I set the acl with a Windows Workstation, that's don't work it gives 
the furnished error :
 
sys...@sangam:/var/log/samba$ tailf log.r-sys-03703
 
[2009/11/08 17:54:05, 0] auth/auth_util.c:create_builtin_users(758)
create_builtin_users: Failed to create Users
[2009/11/08 17:54:09, 0] passdb/pdb_ldap.c:ldapuser2displayentry(4211)
sid S-1-5-21-3986255151-1643105893-2919334401-3002 does not belong to our domain
.
.
.
[2009/11/08 17:54:15, 0] auth/auth_util.c:create_builtin_users(758)
create_builtin_users: Failed to create Users
[2009/11/08 17:54:17, 0] smbd/posix_acls.c:create_canon_ace_lists(1438)
create_canon_ace_lists: unable to map SID 
S-1-5-21-4020846335-601350461-1468625926-27594 to uid or gid.
 
 



 
 
C U Next Mail
Raj

Take Care
HAVE A NICE DAY



The INTERNET now has a personality. YOURS! See your Yahoo! Homepage.


     The INTERNET now has a personality. YOURS! See your Yahoo! Homepage. 
http://in.yahoo.com/
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba



-- 
http://linuxinterviews.blogspot.com



  The INTERNET now has a personality. YOURS! See your Yahoo! Homepage. 
http://in.yahoo.com/
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Samba + LDAP: Changing user's group

2009-11-20 Thread davefu 

Thanks for the reply.
Think I'll have a look at the smb.conf.

Im not really sure about the answer to your question. For each domain, I
have 2 "sambaGroupMapping" (domainUsersDOMAIN & domainAdminsDOMAIN both SSID
ending in 513 and 512), and all the posix groups I want, to keep certain
order between user groups, admin groups, etc. which will come in use when
setting ACLs on the shared resources.

Thanks again.


Gaiseric Vandal wrote:
> 
> There are various TDB that cache info (maybe under /var/samba/locks)
> 
> If you run "testparm -v" there may be some timeout or cache variables you
> could adjust.
> 
> Does it matter if you have mapped the unix group to a Windows group?  In
> my
> environment we set up group mappings for the key groups (like Domain
> Administrators) but we have a lot of unix groups that we don't explicitly
> map to Windows groups.  
> 
> 
> -Original Message-
> From: samba-boun...@lists.samba.org [mailto:samba-boun...@lists.samba.org]
> On Behalf Of davefu
> Sent: Thursday, November 19, 2009 7:29 AM
> To: samba@lists.samba.org
> Subject: [Samba] Samba + LDAP: Changing user's group
> 
> 
> Hello fellas. I'm facing this problem today:
> 
> My Samba PDC is using LDAP as a backend, and its working really good. The
> problem comes when I change the groups on one of the users. System shows
> the
> change correctly by using 'getent group' and if I log as that user the
> behavior correct when trying the new group permissions.
> 
> Samba, however, doesn't seem to get those changes immediately (it syncs
> hours later, totally random amount of time). I've tried disabling NSCD but
> no luck. I've read somewhere that restarting Samba service forces Samba to
> refresh the users credentials, but thats not possible to do everytime a
> user
> needs a change in his groups. I'm wondering if there is some way to
> refresh
> Samba cached credentials.
> 
> Has anyone experienced this before?
> 
> P.D: Where is Samba caching the users information/credentials/password/etc
> anyway?
> 
> 
> -- 
> View this message in context:
> http://old.nabble.com/Samba-%2B-LDAP%3A-Changing-user%27s-group-tp26421317p2
> 6421317.html
> Sent from the Samba - General mailing list archive at Nabble.com.
> 
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
> 
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
> 
> 

-- 
View this message in context: 
http://old.nabble.com/Samba-%2B-LDAP%3A-Changing-user%27s-group-tp26421317p26428171.html
Sent from the Samba - General mailing list archive at Nabble.com.

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Samba + LDAP: Changing user's group

2009-11-19 Thread Gaiseric Vandal 
There are various TDB that cache info (maybe under /var/samba/locks)

If you run "testparm -v" there may be some timeout or cache variables you
could adjust.

Does it matter if you have mapped the unix group to a Windows group?  In my
environment we set up group mappings for the key groups (like Domain
Administrators) but we have a lot of unix groups that we don't explicitly
map to Windows groups.  


-Original Message-
From: samba-boun...@lists.samba.org [mailto:samba-boun...@lists.samba.org]
On Behalf Of davefu
Sent: Thursday, November 19, 2009 7:29 AM
To: samba@lists.samba.org
Subject: [Samba] Samba + LDAP: Changing user's group


Hello fellas. I'm facing this problem today:

My Samba PDC is using LDAP as a backend, and its working really good. The
problem comes when I change the groups on one of the users. System shows the
change correctly by using 'getent group' and if I log as that user the
behavior correct when trying the new group permissions.

Samba, however, doesn't seem to get those changes immediately (it syncs
hours later, totally random amount of time). I've tried disabling NSCD but
no luck. I've read somewhere that restarting Samba service forces Samba to
refresh the users credentials, but thats not possible to do everytime a user
needs a change in his groups. I'm wondering if there is some way to refresh
Samba cached credentials.

Has anyone experienced this before?

P.D: Where is Samba caching the users information/credentials/password/etc
anyway?


-- 
View this message in context:
http://old.nabble.com/Samba-%2B-LDAP%3A-Changing-user%27s-group-tp26421317p2
6421317.html
Sent from the Samba - General mailing list archive at Nabble.com.

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

[Samba] Samba + LDAP: Changing user's group

2009-11-19 Thread davefu 

Hello fellas. I'm facing this problem today:

My Samba PDC is using LDAP as a backend, and its working really good. The
problem comes when I change the groups on one of the users. System shows the
change correctly by using 'getent group' and if I log as that user the
behavior correct when trying the new group permissions.

Samba, however, doesn't seem to get those changes immediately (it syncs
hours later, totally random amount of time). I've tried disabling NSCD but
no luck. I've read somewhere that restarting Samba service forces Samba to
refresh the users credentials, but thats not possible to do everytime a user
needs a change in his groups. I'm wondering if there is some way to refresh
Samba cached credentials.

Has anyone experienced this before?

P.D: Where is Samba caching the users information/credentials/password/etc
anyway?


-- 
View this message in context: 
http://old.nabble.com/Samba-%2B-LDAP%3A-Changing-user%27s-group-tp26421317p26421317.html
Sent from the Samba - General mailing list archive at Nabble.com.

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Samba + LDAP error in windows xp while ACL

2009-11-17 Thread vishesh kumar 
Dear rajan
   Did you set ldap admin password for samba by using following command.

root#smbpasswd -w 

By the way you can also use *pdbedit -Lv* command to ensure samba is
communicating to ldap properly.

Thanks


On Tue, Nov 17, 2009 at 10:55 AM, D.Rajan  wrote:

> Dear All,
>
>What the files i need to be check to solve the problem.  i am having
> PDC & BDC
>
> r...@sangam:/var/log/samba# net getlocalsid
> SID for domain SANGAM is: S-1-5-21-4020846335-601350461-1468625926
>
> r...@vaigai:~# net getlocalsid
> SID for domain VAIGAI is: S-1-5-21-4020846335-601350461-1468625926
>
> Error while ACL from windows XP:
> 
>
> ys...@sangam:/var/log/samba$ tailf log.kh-sys-02635
> [2009/11/16 19:12:43, 0] printing/print_cups.c:cups_connect(69)
> Unable to connect to CUPS server localhost:631 - Connection refused
> [2009/11/17 09:32:28, 0] auth/auth_util.c:create_builtin_users(758)
> create_builtin_users: Failed to create Users
> [2009/11/17 09:32:32, 0] auth/auth_util.c:create_builtin_users(758)
> create_builtin_users: Failed to create Users
> [2009/11/17 09:32:49, 0] auth/auth_util.c:create_builtin_users(758)
> create_builtin_users: Failed to create Users
> [2009/11/17 09:32:49, 0] auth/auth_util.c:create_builtin_users(758)
> create_builtin_users: Failed to create Users
> [2009/11/17 10:26:38, 0] auth/auth_util.c:create_builtin_users(758)
> create_builtin_users: Failed to create Users
> [2009/11/17 10:27:03, 0] auth/auth_util.c:create_builtin_users(758)
> create_builtin_users: Failed to create Users
> [2009/11/17 10:27:29, 0] smbd/posix_acls.c:create_canon_ace_lists(1438)
> create_canon_ace_lists: unable to map SID
> S-1-5-21-4020846335-601350461-1468625926-3174 to uid or gid.
>
> As per your instruction i convert one systems from our domain to workgroup
> and restart the system and once again i convert to my domain, eventhough i
> am not able to give permission from my system.
>
> 1. In My client Xp system what i want to check regarding SID infomation ?
> 2. How to solve the "unable to map SID" error in server.
>
> I am having more than 2500 client system.
>
> C U Next Mail
> Raj
>
> Take Care
> HAVE A NICE DAY
>
>
> --- On Sun, 8/11/09, D.Rajan  wrote:
>
>
> From: D.Rajan 
> Subject: Samba + LDAP error in windows xp while ACL
> To: samba@lists.samba.org
> Date: Sunday, 8 November, 2009, 6:08 PM
>
>
>
>
>
>
>
> Dear all,
>
>  I am using Samba + PDC LDAP in a single server. From last month onward i
> am facing problem
> When I set manualy the acl (setfacl -m g:group:rwx the_file)
> It's ok, the other domain member see the ACL
>
> But when I set the acl with a Windows Workstation, that's don't work it
> gives the furnished error :
>
> sys...@sangam:/var/log/samba$ tailf log.r-sys-03703
>
> [2009/11/08 17:54:05, 0] auth/auth_util.c:create_builtin_users(758)
> create_builtin_users: Failed to create Users
> [2009/11/08 17:54:09, 0] passdb/pdb_ldap.c:ldapuser2displayentry(4211)
> sid S-1-5-21-3986255151-1643105893-2919334401-3002 does not belong to our
> domain
> .
> .
> .
> [2009/11/08 17:54:15, 0] auth/auth_util.c:create_builtin_users(758)
> create_builtin_users: Failed to create Users
> [2009/11/08 17:54:17, 0] smbd/posix_acls.c:create_canon_ace_lists(1438)
> create_canon_ace_lists: unable to map SID
> S-1-5-21-4020846335-601350461-1468625926-27594 to uid or gid.
>
>
>
>
>
>
>
> C U Next Mail
> Raj
>
> Take Care
> HAVE A NICE DAY
>
>
>
> The INTERNET now has a personality. YOURS! See your Yahoo! Homepage.
>
>
>  The INTERNET now has a personality. YOURS! See your Yahoo! Homepage.
> http://in.yahoo.com/
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>



-- 
http://linuxinterviews.blogspot.com
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Samba + LDAP error in windows xp while ACL

2009-11-16 Thread D.Rajan 
Dear All,
 
   What the files i need to be check to solve the problem.  i am having PDC 
& BDC 
 
r...@sangam:/var/log/samba# net getlocalsid
SID for domain SANGAM is: S-1-5-21-4020846335-601350461-1468625926

r...@vaigai:~# net getlocalsid
SID for domain VAIGAI is: S-1-5-21-4020846335-601350461-1468625926
 
Error while ACL from windows XP:


ys...@sangam:/var/log/samba$ tailf log.kh-sys-02635
[2009/11/16 19:12:43, 0] printing/print_cups.c:cups_connect(69)
Unable to connect to CUPS server localhost:631 - Connection refused
[2009/11/17 09:32:28, 0] auth/auth_util.c:create_builtin_users(758)
create_builtin_users: Failed to create Users
[2009/11/17 09:32:32, 0] auth/auth_util.c:create_builtin_users(758)
create_builtin_users: Failed to create Users
[2009/11/17 09:32:49, 0] auth/auth_util.c:create_builtin_users(758)
create_builtin_users: Failed to create Users
[2009/11/17 09:32:49, 0] auth/auth_util.c:create_builtin_users(758)
create_builtin_users: Failed to create Users
[2009/11/17 10:26:38, 0] auth/auth_util.c:create_builtin_users(758)
create_builtin_users: Failed to create Users
[2009/11/17 10:27:03, 0] auth/auth_util.c:create_builtin_users(758)
create_builtin_users: Failed to create Users
[2009/11/17 10:27:29, 0] smbd/posix_acls.c:create_canon_ace_lists(1438)
create_canon_ace_lists: unable to map SID 
S-1-5-21-4020846335-601350461-1468625926-3174 to uid or gid.

As per your instruction i convert one systems from our domain to workgroup and 
restart the system and once again i convert to my domain, eventhough i am not 
able to give permission from my system.
 
1. In My client Xp system what i want to check regarding SID infomation ?
2. How to solve the "unable to map SID" error in server.
 
I am having more than 2500 client system.
 
C U Next Mail 
Raj 

Take Care 
HAVE A NICE DAY 


--- On Sun, 8/11/09, D.Rajan  wrote:


From: D.Rajan 
Subject: Samba + LDAP error in windows xp while ACL
To: samba@lists.samba.org
Date: Sunday, 8 November, 2009, 6:08 PM







Dear all,
 
 I am using Samba + PDC LDAP in a single server. From last month onward i am 
facing problem 
When I set manualy the acl (setfacl -m g:group:rwx the_file)
It's ok, the other domain member see the ACL

But when I set the acl with a Windows Workstation, that's don't work it gives 
the furnished error :
 
sys...@sangam:/var/log/samba$ tailf log.r-sys-03703
 
[2009/11/08 17:54:05, 0] auth/auth_util.c:create_builtin_users(758)
create_builtin_users: Failed to create Users
[2009/11/08 17:54:09, 0] passdb/pdb_ldap.c:ldapuser2displayentry(4211)
sid S-1-5-21-3986255151-1643105893-2919334401-3002 does not belong to our domain
.
.
.
[2009/11/08 17:54:15, 0] auth/auth_util.c:create_builtin_users(758)
create_builtin_users: Failed to create Users
[2009/11/08 17:54:17, 0] smbd/posix_acls.c:create_canon_ace_lists(1438)
create_canon_ace_lists: unable to map SID 
S-1-5-21-4020846335-601350461-1468625926-27594 to uid or gid.
 
 



 
 
C U Next Mail 
Raj 

Take Care 
HAVE A NICE DAY 



The INTERNET now has a personality. YOURS! See your Yahoo! Homepage.


  The INTERNET now has a personality. YOURS! See your Yahoo! Homepage. 
http://in.yahoo.com/
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Samba + LDAP error in windows xp while ACL

2009-11-08 Thread Gaiseric Vandal 
Did this use to work OK?

It sounds like samba is not properly mapping YOURDOMAIN\username in Windows
to the underlying unix account.Do you create the unix accounts first or
does samba automatically create them?  Either way, I think your LDAP entry
for each user should include the unix uid number as well as the samba sid.


What happens if you type "wbinfo -s SID
S-1-5-21-4020846335-601350461-1468625926-27594?"


Also, if I am reading this correctly, the log files seem to indicate two
domains are involved here-  *-3986255151-* and *-4020846335-*

I have had problems getting the SID to unix id mapping stuff working
properly with member samba servers (not with XP clients.)  Can you try
removing and rejoining an XP machine to the domain?


-Original Message-
From: samba-boun...@lists.samba.org [mailto:samba-boun...@lists.samba.org]
On Behalf Of D.Rajan
Sent: Sunday, November 08, 2009 7:39 AM
To: samba@lists.samba.org
Subject: [Samba] Samba + LDAP error in windows xp while ACL

Dear all,
 
 I am using Samba + PDC LDAP in a single server. From last month onward i am
facing problem 
When I set manualy the acl (setfacl -m g:group:rwx the_file)
It's ok, the other domain member see the ACL

But when I set the acl with a Windows Workstation, that's don't work it
gives the furnished error :
 
sys...@sangam:/var/log/samba$ tailf log.r-sys-03703
 
[2009/11/08 17:54:05, 0] auth/auth_util.c:create_builtin_users(758)
create_builtin_users: Failed to create Users
[2009/11/08 17:54:09, 0] passdb/pdb_ldap.c:ldapuser2displayentry(4211)
sid S-1-5-21-3986255151-1643105893-2919334401-3002 does not belong to our
domain
.
.
.
[2009/11/08 17:54:15, 0] auth/auth_util.c:create_builtin_users(758)
create_builtin_users: Failed to create Users
[2009/11/08 17:54:17, 0] smbd/posix_acls.c:create_canon_ace_lists(1438)
create_canon_ace_lists: unable to map SID
S-1-5-21-4020846335-601350461-1468625926-27594 to uid or gid.
 
 



 
 
C U Next Mail 
Raj 

Take Care 
HAVE A NICE DAY 



  The INTERNET now has a personality. YOURS! See your Yahoo! Homepage.
http://in.yahoo.com/
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

[Samba] Samba + LDAP error in windows xp while ACL

2009-11-08 Thread D.Rajan 
Dear all,
 
 I am using Samba + PDC LDAP in a single server. From last month onward i am 
facing problem 
When I set manualy the acl (setfacl -m g:group:rwx the_file)
It's ok, the other domain member see the ACL

But when I set the acl with a Windows Workstation, that's don't work it gives 
the furnished error :
 
sys...@sangam:/var/log/samba$ tailf log.r-sys-03703
 
[2009/11/08 17:54:05, 0] auth/auth_util.c:create_builtin_users(758)
create_builtin_users: Failed to create Users
[2009/11/08 17:54:09, 0] passdb/pdb_ldap.c:ldapuser2displayentry(4211)
sid S-1-5-21-3986255151-1643105893-2919334401-3002 does not belong to our domain
.
.
.
[2009/11/08 17:54:15, 0] auth/auth_util.c:create_builtin_users(758)
create_builtin_users: Failed to create Users
[2009/11/08 17:54:17, 0] smbd/posix_acls.c:create_canon_ace_lists(1438)
create_canon_ace_lists: unable to map SID 
S-1-5-21-4020846335-601350461-1468625926-27594 to uid or gid.
 
 



 
 
C U Next Mail 
Raj 

Take Care 
HAVE A NICE DAY 



  The INTERNET now has a personality. YOURS! See your Yahoo! Homepage. 
http://in.yahoo.com/
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Samba & LDAP: "Unable to allocate a new user id: bailing out!"

2009-10-29 Thread Christian Geiger 
Great - that was the reason. In case someone else encounters the same 
problem - adding the following lines helped:


   idmap backend = ldap
   idmap alloc backend = ldap
   idmap alloc config:ldap_base_dn = ou=idmaps,dc=lohrmann,dc=de
   idmap alloc config:ldap_user_dn = cn=samba,dc=lohrmann,dc=de
   idmap alloc config:ldap_url = ldap://ldap.lohrmann.de

Thx François!


Am 28.10.2009 17:23, schrieb François Legal:

You have to define an allocation backend for idmapping, so that winbindd
can allocate uids and gids for the users and groups that you want to
create.

On Wed, 28 Oct 2009 16:32:35 +0100, Christian Geiger

wrote:

Hi!

I'm currently setting up a Samba 3 PDC. So far I managed to setup Samba
with an OpenLDAP backend, but adding a user with the command "net rpc
user add mg password -U root" results in the following error:

Failed to add user 'mg' with: WERR_GENERAL_FAILURE.

In the logfile it says:

[2009/10/28 15:56:28,  0] passdb/pdb_ldap.c:ldapsam_create_user(5119)
ldapsam_create_user: Unable to allocate a new user id: bailing out!

Unfortunately I cannot find any other hint on what the reason could be.
Has someone an idea what I might have misconfigured?

Below's my smb.conf. The samba-user has granted the rights to manage the



whole domain-tree (olcAccess = {0}to dn.sub="dc=lohrmann,dc=de" by
dn="cn=samba,dc=lohrmann,dc=de" manage by * break).

Thx a lot in advance!

Chris



smb.conf:

[global]

 workgroup = LOHRMANN.DE
 domain logons = yes
 domain master = yes
 local master = yes
 preferred master = yes
 os level = 65

 passdb backend = ldapsam
 ldap admin dn = cn=samba,dc=lohrmann,dc=de
 ldap suffix = dc=lohrmann,dc=de
 ldap passwd sync = yes
 ldap machine suffix = ou=machines
 ldap user suffix = ou=users
 ldap group suffix = ou=groups
 ldap idmap suffix = ou=idmaps
 ldap ssl = no
 idmap uid = 1-2
 idmap gid = 1-2

 ldapsam:trusted = yes
 ldapsam:editposix = yes

 logon drive = H:
 logon script = logon.bat
 logon path = \\%N\profiles\%U\%a

[homes]
 comment = Users Home Directories
 valid users = %S
 writeable = yes

[netlogon]
 comment = Network Logon Service
 path = /var/lib/samba/netlogon

[profiles]
 comment = Users profiles
 path = /var/lib/samba/profiles

[printers]
 comment = All Printers
 browseable = no
 path = /var/spool/samba
 printable = yes
 guest ok = no
 read only = yes
 create mask = 0700

[print$]
 comment = Printer Drivers
 path = /var/lib/samba/printers
 browseable = yes
 read only = yes
 guest ok = no


__ Hinweis von ESET NOD32 Antivirus, Signaturdatenbank-Version 4553 
(20091028) __

E-Mail wurde gepr�ft mit ESET NOD32 Antivirus.

http://www.eset.com





--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] samba ldap

2009-10-29 Thread Kaushal Shriyan 
On Thu, Oct 29, 2009 at 12:13 AM, Dale Schroeder
 wrote:
>
> Dale Schroeder
> Technical Issues
> Del Sol Food Company, Inc.
> (979)836-5978(979) 836-5978
>
>
> Kaushal Shriyan wrote:
>
> On Wed, Oct 28, 2009 at 11:44 PM, Dale Schroeder
>  wrote:
>
>
> Kaushal Shriyan wrote:
>
> Hi,
>
> I am following https://help.ubuntu.com/8.10/serverguide/C/samba-ldap.html
> and ldap works perfectly fine.
> I have issues with connecting to ldap from samba.
>
> I get
>
> [2009/10/27 12:37:28, 1] lib/smbldap.c:another_ldap_try(1153)
>  Connection to LDAP server failed for the 9 try!
> [2009/10/27 12:37:29, 2] lib/smbldap.c:smbldap_open_connection(786)
>  smbldap_open_connection: connection opened
> [2009/10/27 12:37:29, 2] lib/smbldap.c:smbldap_connect_system(982)
>  failed to bind to server ldap://localhost/ with
> dn="cn=admin,dc=webaroo,dc=com" Error: Can't contact LDAP server
>        (unknown)
>
> I have ldapserver running on the same server as samba server is
> running. when i run ldapsearch -x -H ldaps://localhost. I am able to
> see the user details.
> Please let me know if anyone needs configs and additional information.
> Also when i run smbldap-populate, i get
> http://paste.ubuntu.com/302630/
>
> Thanks,
>
> Kaushal
>
>
>
>
>
>
> Hi,
>
>
> I see you're using encryption.  All of that is beyond me, as my setup is
> plain.
> Still, I noticed some inconsistencies and 1 probable error.  I pasted each
> suspicious
> value below its pastebin link.
>
> Below are my configs.
>
>
> Notice below that you have different values for the ldap admin user.
> Twice  you have cn=admin.
> Once you have dc=admin.
>
> http://pastebin.com/dcb24c87 ---> ldap.conf
> http://pastebin.com/d721f0d4d ---> slapd.conf
>
>
> rootdn          "cn=admin,dc=example,dc=com"
>
> http://pastebin.com/d102cbfc5 --->samba.conf
>
>
> ldap admin dn = cn=admin,dc=example,dc=com
> ldap suffix = dc=example,dc=com (compare this line with what you put in
> smbldap.conf)
>
> http://pastebin.com/d4a02b874 --> smbldap.conf
>
>
> suffix="dc=admin,dc=example,dc=com" (compare to smb.conf)
> Probably should not have the dc=admin part.
> Because of all the ${suffix} entries, this would propagate throughout the
> "ou" entries.
>
> http://pastebin.com/d716fddc0 ---> smbldap_bind.conf
>
>
> masterDN="dc=admin,dc=example,dc=com"
>
> If the problem lies with ldaps/ssl rather than my observations, then someone
> far more knowledgeable than me will have to find it.
>
> Dale
>
>
> Hi Dale
>
> I have set it correctly in smbldap.conf and smbldap_bind.conf
>
> cn=admin,dc=webaroo,dc=com
>
> I get http://pastebin.com/d6d35247f
>
> Please suggest/guide.
>
>
> Did you try changing the value in smbldap.conf from
>
> suffix="dc=admin,dc=example,
> dc=com"
>
> to
>
> suffix="dc=example,dc=com"
>
> (removing "dc=admin")?
>
> The error message seems to indicate you did not.
>
> adding new entry: ou=Users,cn=admin,dc=example,dc=com
>
> Dale
>
> Thanks,
>
> Kaushal
>
>

Hi Dale,

I get http://pastebin.com/d47ac4bd9

Thanks,

Kaushal
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Samba + LDAP problem for find user name

2009-10-28 Thread Jamrock 

"Bruno Steven"  wrote in message
news:c6bf33680910270225n6b5423e5te193e27399144...@mail.gmail.com...
I have samba integrated with openldap , all process are up and I am trying
add one machine Windows XP with SP3 in domain Samba , but windows show this
message  Error while the attempt  of entry in domain "amblivre.com"  Is not
possible find user name

I am tired because I don´t found any solution about this problem , I need
some idea ..

Thanks ...

Have you set up nss ldap?

When you type "getent passwd" do you see the users created in ldap as well
as those in the /etc/passwd file?

When you type "getent group" do you see the groups created in ldap as well
as those in the /etc/group file?




-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] samba ldap

2009-10-28 Thread Kaushal Shriyan 
On Wed, Oct 28, 2009 at 11:44 PM, Dale Schroeder
 wrote:
> Kaushal Shriyan wrote:
>
> Hi,
>
> I am following https://help.ubuntu.com/8.10/serverguide/C/samba-ldap.html
> and ldap works perfectly fine.
> I have issues with connecting to ldap from samba.
>
> I get
>
> [2009/10/27 12:37:28, 1] lib/smbldap.c:another_ldap_try(1153)
>  Connection to LDAP server failed for the 9 try!
> [2009/10/27 12:37:29, 2] lib/smbldap.c:smbldap_open_connection(786)
>  smbldap_open_connection: connection opened
> [2009/10/27 12:37:29, 2] lib/smbldap.c:smbldap_connect_system(982)
>  failed to bind to server ldap://localhost/ with
> dn="cn=admin,dc=webaroo,dc=com" Error: Can't contact LDAP server
>        (unknown)
>
> I have ldapserver running on the same server as samba server is
> running. when i run ldapsearch -x -H ldaps://localhost. I am able to
> see the user details.
> Please let me know if anyone needs configs and additional information.
> Also when i run smbldap-populate, i get
> http://paste.ubuntu.com/302630/
>
> Thanks,
>
> Kaushal
>
>
>
>
>
>
> Hi,
>
>
> I see you're using encryption.  All of that is beyond me, as my setup is
> plain.
> Still, I noticed some inconsistencies and 1 probable error.  I pasted each
> suspicious
> value below its pastebin link.
>
> Below are my configs.
>
>
> Notice below that you have different values for the ldap admin user.
> Twice  you have cn=admin.
> Once you have dc=admin.
>
> http://pastebin.com/dcb24c87 ---> ldap.conf
> http://pastebin.com/d721f0d4d ---> slapd.conf
>
>
> rootdn          "cn=admin,dc=example,dc=com"
>
> http://pastebin.com/d102cbfc5 --->samba.conf
>
>
> ldap admin dn = cn=admin,dc=example,dc=com
> ldap suffix = dc=example,dc=com (compare this line with what you put in
> smbldap.conf)
>
> http://pastebin.com/d4a02b874 --> smbldap.conf
>
>
> suffix="dc=admin,dc=example,dc=com" (compare to smb.conf)
> Probably should not have the dc=admin part.
> Because of all the ${suffix} entries, this would propagate throughout the
> "ou" entries.
>
> http://pastebin.com/d716fddc0 ---> smbldap_bind.conf
>
>
> masterDN="dc=admin,dc=example,dc=com"
>
> If the problem lies with ldaps/ssl rather than my observations, then someone
> far more knowledgeable than me will have to find it.
>
> Dale

Hi Dale

I have set it correctly in smbldap.conf and smbldap_bind.conf

cn=admin,dc=webaroo,dc=com

I get http://pastebin.com/d6d35247f

Please suggest/guide.

Thanks,

Kaushal
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

[Samba] Samba & LDAP: "Unable to allocate a new user id: bailing out!"

2009-10-28 Thread Christian Geiger 

Hi!

I'm currently setting up a Samba 3 PDC. So far I managed to setup Samba 
with an OpenLDAP backend, but adding a user with the command "net rpc 
user add mg password -U root" results in the following error:


Failed to add user 'mg' with: WERR_GENERAL_FAILURE.

In the logfile it says:

[2009/10/28 15:56:28,  0] passdb/pdb_ldap.c:ldapsam_create_user(5119)
  ldapsam_create_user: Unable to allocate a new user id: bailing out!

Unfortunately I cannot find any other hint on what the reason could be. 
Has someone an idea what I might have misconfigured?


Below's my smb.conf. The samba-user has granted the rights to manage the 
whole domain-tree (olcAccess = {0}to dn.sub="dc=lohrmann,dc=de" by 
dn="cn=samba,dc=lohrmann,dc=de" manage by * break).


Thx a lot in advance!

Chris



smb.conf:

[global]

   workgroup = LOHRMANN.DE
   domain logons = yes
   domain master = yes
   local master = yes
   preferred master = yes
   os level = 65

   passdb backend = ldapsam
   ldap admin dn = cn=samba,dc=lohrmann,dc=de
   ldap suffix = dc=lohrmann,dc=de
   ldap passwd sync = yes
   ldap machine suffix = ou=machines
   ldap user suffix = ou=users
   ldap group suffix = ou=groups
   ldap idmap suffix = ou=idmaps
   ldap ssl = no
   idmap uid = 1-2
   idmap gid = 1-2

   ldapsam:trusted = yes
   ldapsam:editposix = yes

   logon drive = H:
   logon script = logon.bat
   logon path = \\%N\profiles\%U\%a

[homes]
   comment = Users Home Directories
   valid users = %S
   writeable = yes

[netlogon]
   comment = Network Logon Service
   path = /var/lib/samba/netlogon

[profiles]
   comment = Users profiles
   path = /var/lib/samba/profiles

[printers]
   comment = All Printers
   browseable = no
   path = /var/spool/samba
   printable = yes
   guest ok = no
   read only = yes
   create mask = 0700

[print$]
   comment = Printer Drivers
   path = /var/lib/samba/printers
   browseable = yes
   read only = yes
   guest ok = no
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] samba ldap

2009-10-28 Thread Kaushal Shriyan 
On Wed, Oct 28, 2009 at 12:39 AM, Dale Schroeder
 wrote:
> Kaushal Shriyan wrote:
>
> On Tue, Oct 27, 2009 at 11:22 PM, Dale Schroeder
>  wrote:
>
>
> Two things that I can think of:
> 1. Did you remember to run smbpasswd -w
>
> 2. In /etc/smbldap-tools, check the values in the two conf files.
>   Edit as necessary, or run "dpkg-reconfigure smbldap-tools" if needed.
>
> If that doesn't help, you'll probably need to post your config files on the
> list.
>
>
>
> Hi Dale
>
> Shall i pastebin the configs to you instead of the list due to security
> concern
>
> Thanks,
>
> Kaushal
>
>
> It would be best to "sanitize" anything you don't want to be public, then
> allow the list to see them.
> The contents of those files should be small enough to paste into the body of
> the mail, but that's your call.
>
> No clues in the other howto's?
>
> Dale
>
>
>
> FYI: More complete howto's here:
> http://wiki.makethemove.net/index.php?title=LDAP-Samba#Introduction
> and here:
> https://help.ubuntu.com/community/OpenLDAP-SambaPDC-OrgInfo-Posix
>
> I use Debian and was able to successfully adapt these Ubuntu tutorials, so
> they should work for you.
>
> Dale
>
>
> Kaushal Shriyan wrote:
>
>
> Hi,
>
> I am following https://help.ubuntu.com/8.10/serverguide/C/samba-ldap.html
> and ldap works perfectly fine.
> I have issues with connecting to ldap from samba.
>
> I get
>
> [2009/10/27 12:37:28, 1] lib/smbldap.c:another_ldap_try(1153)
>  Connection to LDAP server failed for the 9 try!
> [2009/10/27 12:37:29, 2] lib/smbldap.c:smbldap_open_connection(786)
>  smbldap_open_connection: connection opened
> [2009/10/27 12:37:29, 2] lib/smbldap.c:smbldap_connect_system(982)
>  failed to bind to server ldap://localhost/ with
> dn="cn=admin,dc=webaroo,dc=com" Error: Can't contact LDAP server
>        (unknown)
>
> I have ldapserver running on the same server as samba server is
> running. when i run ldapsearch -x -H ldaps://localhost. I am able to
> see the user details.
> Please let me know if anyone needs configs and additional information.
> Also when i run smbldap-populate, i get
> http://paste.ubuntu.com/302630/
>
> Thanks,
>
> Kaushal
>
>
>
>

Hi,

Below are my configs.

http://pastebin.com/dcb24c87 ---> ldap.conf
http://pastebin.com/d721f0d4d ---> slapd.conf
http://pastebin.com/d102cbfc5 --->samba.conf
http://pastebin.com/d4a02b874 --> smbldap.conf
http://pastebin.com/d716fddc0 ---> smbldap_bind.conf

I am running both ldap and samba server on the same host running on
ubuntu 8.04 Hardy server. I am following
https://help.ubuntu.com/8.10/serverguide/C/samba-ldap.html. I get the
below issue when i run smbldap-populate I get
http://pastebin.com/d30ed0db6.

Please let me know if anyone needs more information.

Thanks,

Kaushal
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Samba + LDAP problem for find user name

2009-10-27 Thread Bruno Steven 
Hi .. guy or girls ... until now I did´t found any information that resolv
my problem , there is somebody in this list that made Samba more Openldap
together work ?



On Tue, Oct 27, 2009 at 7:25 AM, Bruno Steven  wrote:

> I have samba integrated with openldap , all process are up and I am trying
> add one machine Windows XP with SP3 in domain Samba , but windows show this
> message  Error while the attempt  of entry in domain "amblivre.com"  Is
> not possible find user name
>
> I am tired because I don´t found any solution about this problem , I need
> some idea ..
>
> Thanks ...
>
> --
> Bruno Steven - Administrador de sistemas.
> LPIC-1 - LPI ID: lpi000119659 / Code: p2e4wz47e4
> https://www.lpi.org/caf/Xamman/certification
>
> MCP-Windows 2003 - TranscriptID: 793804 / Access Code: 080089100
> https://mcp.microsoft.com/authenticate/validatemcp.aspx
>
>
> P Antes de imprimir pense em sua responsabilidade e comprometimento com o
> Meio Ambiente. Before printing this message, think about your ecologic
> responsability and environment commitment.
>



-- 
Bruno Steven - Administrador de sistemas.
LPIC-1 - LPI ID: lpi000119659 / Code: p2e4wz47e4
https://www.lpi.org/caf/Xamman/certification

MCP-Windows 2003 - TranscriptID: 793804 / Access Code: 080089100
https://mcp.microsoft.com/authenticate/validatemcp.aspx


P Antes de imprimir pense em sua responsabilidade e comprometimento com o
Meio Ambiente. Before printing this message, think about your ecologic
responsability and environment commitment.
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

[Samba] Samba + LDAP problem for find user name

2009-10-27 Thread Bruno Steven 
I have samba integrated with openldap , all process are up and I am trying
add one machine Windows XP with SP3 in domain Samba , but windows show this
message  Error while the attempt  of entry in domain "amblivre.com"  Is not
possible find user name

I am tired because I don´t found any solution about this problem , I need
some idea ..

Thanks ...

-- 
Bruno Steven - Administrador de sistemas.
LPIC-1 - LPI ID: lpi000119659 / Code: p2e4wz47e4
https://www.lpi.org/caf/Xamman/certification

MCP-Windows 2003 - TranscriptID: 793804 / Access Code: 080089100
https://mcp.microsoft.com/authenticate/validatemcp.aspx


P Antes de imprimir pense em sua responsabilidade e comprometimento com o
Meio Ambiente. Before printing this message, think about your ecologic
responsability and environment commitment.
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

[Samba] samba ldap

2009-10-27 Thread Kaushal Shriyan 
Hi,

I am following https://help.ubuntu.com/8.10/serverguide/C/samba-ldap.html
and ldap works perfectly fine.
I have issues with connecting to ldap from samba.

I get

[2009/10/27 12:37:28, 1] lib/smbldap.c:another_ldap_try(1153)
  Connection to LDAP server failed for the 9 try!
[2009/10/27 12:37:29, 2] lib/smbldap.c:smbldap_open_connection(786)
  smbldap_open_connection: connection opened
[2009/10/27 12:37:29, 2] lib/smbldap.c:smbldap_connect_system(982)
  failed to bind to server ldap://localhost/ with
dn="cn=admin,dc=webaroo,dc=com" Error: Can't contact LDAP server
(unknown)

I have ldapserver running on the same server as samba server is
running. when i run ldapsearch -x -H ldaps://localhost. I am able to
see the user details.
Please let me know if anyone needs configs and additional information.
Also when i run smbldap-populate, i get
http://paste.ubuntu.com/302630/

Thanks,

Kaushal
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] samba+ldap

2009-10-24 Thread morgan 
 
On Fri 23/10/09  4:31 PM , Adam Williams  wrote:  
 Paras pradhan wrote:   

 On Fri, Oct 23, 2009 at 2:07 PM,  wrote: 

 Most mainstream Linux distros are compiling in LDAP support these
days, noproblem.  Debian, Ubuntu, Fedora and SuSE are all compiling in
LDAP in theirstandard packages, AFAIK.  I'm not sure what BSDs are
doing these days, butI'd bet they're the same way. 

 I am under solaris 9 (ancient) platform. Now my compilation seems
to be OK, now need to find ways to connect this to the sun ldap
server. Any info on this will be a great help Thanks Paras.  in
CentOS/Fedora you use nss_ldap, i'm not sure what solaris uses, maybe
you can compile nss_ldap from source and setup /etc/ldap.conf and
/etc/nsswitch.conf
See this link for excellent info:
http://aput.net/~jheiss/krbldap/howto.html#ldapclient [2]

-
Message sent via Atmail Open - http://atmail.org/

Links:
--
[2] http://aput.net/~jheiss/krbldap/howto.html#ldapclient
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] samba+ldap

2009-10-23 Thread Adam Williams 



Paras pradhan wrote:

On Fri, Oct 23, 2009 at 2:07 PM,   wrote:
  

Most mainstream Linux distros are compiling in LDAP support these days, no
problem.  Debian, Ubuntu, Fedora and SuSE are all compiling in LDAP in their
standard packages, AFAIK.  I'm not sure what BSDs are doing these days, but
I'd bet they're the same way.



I am under solaris 9 (ancient) platform. Now my compilation seems to
be OK, now need to find ways to connect this to the sun ldap server.
Any info on this will be a great help

Thanks
Paras.
in CentOS/Fedora you use nss_ldap, i'm not sure what solaris uses, maybe 
you can compile nss_ldap from source and setup /etc/ldap.conf and 
/etc/nsswitch.conf

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] samba+ldap

2009-10-23 Thread Paras pradhan 
On Fri, Oct 23, 2009 at 2:07 PM,   wrote:
> Most mainstream Linux distros are compiling in LDAP support these days, no
> problem.  Debian, Ubuntu, Fedora and SuSE are all compiling in LDAP in their
> standard packages, AFAIK.  I'm not sure what BSDs are doing these days, but
> I'd bet they're the same way.

I am under solaris 9 (ancient) platform. Now my compilation seems to
be OK, now need to find ways to connect this to the sun ldap server.
Any info on this will be a great help

Thanks
Paras.


>
> On Fri 23/10/09 2:55 PM , Adam Williams  wrote:
>
> mien has about the same, and connects to LDAP fine, so i think you are
> ready.
>
> [r...@missioncontrol BackupPC-3.2.0beta0]# smbd -b|grep LDAP
> HAVE_LDAP_H
> HAVE_LDAP
> HAVE_LDAP_ADD_RESULT_ENTRY
> HAVE_LDAP_INIT
> HAVE_LDAP_INITIALIZE
> HAVE_LDAP_SASL_WRAPPING
> HAVE_LDAP_SET_REBIND_PROC
> HAVE_LIBLDAP
> LDAP_SET_REBIND_PROC_ARGS
>
>
> Paras pradhan wrote:
>> Does this mean that my samba is ready to connect to LDAP server?
>>
>> r...@webdev # ./smbd -b |grep LDAP
>> HAVE_LDAP_H
>> HAVE_LDAP
>> HAVE_LDAP_ADD_RESULT_ENTRY
>> HAVE_LDAP_INIT
>> HAVE_LDAP_INITIALIZE
>> HAVE_LDAP_SET_REBIND_PROC
>> HAVE_LIBLDAP
>> LDAP_SET_REBIND_PROC_ARGS
>> r...@webdev #
>>
>>
>> Thanks!
>> Paras.
>>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
>
>
> 
> Message sent via Atmail Open - http://atmail.org/
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] samba+ldap

2009-10-23 Thread morgan 
 

Most mainstream Linux distros are compiling in LDAP support these
days, no problem.  Debian, Ubuntu, Fedora and SuSE are all compiling
in LDAP in their standard packages, AFAIK.  I'm not sure what BSDs are
doing these days, but I'd bet they're the same way. 
On Fri 23/10/09  2:55 PM , Adam Williams  wrote:mien has about the
same, and connects to LDAP fine, so i think you are 
 ready.
 [ BackupPC-3.2.0beta0]# smbd -b|grep LDAP
HAVE_LDAP_H
HAVE_LDAP
HAVE_LDAP_ADD_RESULT_ENTRY
HAVE_LDAP_INIT
HAVE_LDAP_INITIALIZE
HAVE_LDAP_SASL_WRAPPING
HAVE_LDAP_SET_REBIND_PROC
HAVE_LIBLDAP
LDAP_SET_REBIND_PROC_ARGS
 Paras pradhan wrote:
 > Does this mean that my samba is ready to connect to LDAP server?
 >
 >  # ./smbd -b |grep LDAP
 >HAVE_LDAP_H
 >HAVE_LDAP
 >HAVE_LDAP_ADD_RESULT_ENTRY
 >HAVE_LDAP_INIT
 >HAVE_LDAP_INITIALIZE
 >HAVE_LDAP_SET_REBIND_PROC
 >HAVE_LIBLDAP
 >LDAP_SET_REBIND_PROC_ARGS
 >  #
 >
 >
 > Thanks!
 > Paras.
 >   
 -- 
 To unsubscribe from this list go to the following URL and read the
 instructions:  https://lists.samba.org/mailman/options/samba [4]
-
Message sent via Atmail Open - http://atmail.org/

Links:
--
[4]
http://dagda.tuxedo.darktech.org/parse.php?redirect=https://lists.samba.org/mailman/options/samba
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] samba+ldap

2009-10-23 Thread Adam Williams 
mien has about the same, and connects to LDAP fine, so i think you are 
ready.


[r...@missioncontrol BackupPC-3.2.0beta0]# smbd -b|grep LDAP
  HAVE_LDAP_H
  HAVE_LDAP
  HAVE_LDAP_ADD_RESULT_ENTRY
  HAVE_LDAP_INIT
  HAVE_LDAP_INITIALIZE
  HAVE_LDAP_SASL_WRAPPING
  HAVE_LDAP_SET_REBIND_PROC
  HAVE_LIBLDAP
  LDAP_SET_REBIND_PROC_ARGS


Paras pradhan wrote:

Does this mean that my samba is ready to connect to LDAP server?

r...@webdev # ./smbd -b |grep LDAP
   HAVE_LDAP_H
   HAVE_LDAP
   HAVE_LDAP_ADD_RESULT_ENTRY
   HAVE_LDAP_INIT
   HAVE_LDAP_INITIALIZE
   HAVE_LDAP_SET_REBIND_PROC
   HAVE_LIBLDAP
   LDAP_SET_REBIND_PROC_ARGS
r...@webdev #


Thanks!
Paras.
  


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

[Samba] samba+ldap

2009-10-23 Thread Paras pradhan 
Does this mean that my samba is ready to connect to LDAP server?

r...@webdev # ./smbd -b |grep LDAP
   HAVE_LDAP_H
   HAVE_LDAP
   HAVE_LDAP_ADD_RESULT_ENTRY
   HAVE_LDAP_INIT
   HAVE_LDAP_INITIALIZE
   HAVE_LDAP_SET_REBIND_PROC
   HAVE_LIBLDAP
   LDAP_SET_REBIND_PROC_ARGS
r...@webdev #


Thanks!
Paras.
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] samba / ldap

2009-09-04 Thread azzouz 

azzouz wrote:

Hi !

il want tow have one ldap backend and tow instance domain in the same 
server.


tow question :

1 - when i start the first instance domain1 i get a SID witch is put 
to secrets.tbd file.


   but when i start the second one it detect the SID in secrets file 
and so don't create an other.


   how can i differenttiate the secrets.tbd file for each instance 
refered to a different smb.conf file and a particular domain ?


2 - this one is related to the first question:
 does someone have tested like this configuration and have user 
connexion to ldap from the tow domain.


Thanks !

Y.
i found one parameter to put in the smb.conf to determine the 
secrets.tbd path:


private dir =


now i test the ldap connexion from the tow domain

Y.
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

[Samba] samba / ldap

2009-09-04 Thread azzouz 

Hi !

il want tow have one ldap backend and tow instance domain in the same 
server.


tow question :

1 - when i start the first instance domain1 i get a SID witch is put to 
secrets.tbd file.


   but when i start the second one it detect the SID in secrets file 
and so don't create an other.


   how can i differenttiate the secrets.tbd file for each instance 
refered to a different smb.conf file and a particular domain ?


2 - this one is related to the first question:
 does someone have tested like this configuration and have user 
connexion to ldap from the tow domain.


Thanks !

Y.
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

[Samba] Samba + ldap issues

2009-08-25 Thread Allgood, John 
Hey All


I am having a problems with using openldap and samba. We have been having 
issues with samba passwords expiring and I have tried several things to resolve 
the issues. The ldap server was setup using the smbldap-tools. When the 
password expires the only thing I have been able to do is to reset the 
password. I have tried the smbldap-usemod -B -1 &username to disable the 
SambaPwdMustChange. Also tried to set the SambaAcctFlags to UX. We set this 
ldap server up in hurry and did not have a chance to implement a proper 
password policy. This is using the stock version of Samba and LDAP that came 
with RHEL5.

John Allgood
Senior Systems Administrator
Turbo, division of OHL
2251 Jesse Jewell Pky. NE
Gainesville, GA 30507
tel: (678) 989-3051  fax: (770) 531-7878

jallg...@ohl.com
www.ohl.com


__

This e-mail transmission may contain information that is proprietary, 
privileged and/or confidential and is intended exclusively for the person(s) to 
whom it is addressed. Any use, copying, retention or disclosure by any person 
other than the intended recipient or the intended recipient's designees is 
strictly prohibited. If you are not the intended recipient or their designee, 
please notify the sender immediately by return e-mail and delete all copies.
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

[Samba] Samba-LDAP Password Expiration Email Script?

2009-08-11 Thread samba 
Hi All,

I am currently running Samba with an OpenLDAP backend. I would like to be able 
to have a script run that would look at the sambaPwdLastSet attribute, compare 
it to the current time and then if needed...email the user a reminder to change 
their password. I have never written any scripts that reference the LDAP 
directory, so I'm hoping there is something out there that I can modify or 
reference for my own script.

Any help would be greatly apprecitated, thanks!

--Bill
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

[Samba] Samba + Ldap Unable to logon

2009-07-31 Thread bharat 

Hi,

I am trying to setup Samba with LDAP Authentication. I am using Samba 
Version 3.0.25b-0.el5.4 and OpenLDAP: slapd 2.3.43.
I was able to run Samba with tdbsam as password backend and was able to 
join machine and authenticate XP users at logon.


Using the same configuration I have inserted all the directives required 
for ldap password backend, and am able to join a machine to domain. The 
problem is when I try to login to the Domain using the username/password 
defined in ldap, I get the following message at logon prompt.


"The system cannot log you on due to following error:
The system cannot find message text for message number 0x%1 in the 
message file for %2. Please try again or consult your system administrator."


and drops me back to the login prompt. Is this some kind of bug, in 
Samba/Openldap/Windows ?


Please help.

If I dont log into domain and access the share using local system 
accounts I am able to access all the shared folders for that user.


I am posting smb.conf below

[global]
 workgroup = MYDOMAIN
 netbios name = mydomain
 os level = 33
 preferred master = yes
 enable privileges = yes
 server string = %h server (Samba, Centos5)
 dns proxy = no
 name resolve order = wins bcast hosts
 log file = /var/log/samba/log.%m
 log level = 5
 max log size = 1000
 syslog only = no
 syslog = 0
 panic action = /usr/share/samba/panic-action %d
 encrypt passwords = true
 ldap passwd sync = yes
#  passdb backed = tdbsam
 passdb backend = ldapsam:ldap://127.0.0.1
 ldap admin dn = "cn=Manager,dc=domain,dc=in"
 ldap suffix = dc=domain,dc=in
 ldap group suffix = ou=groups
 ldap user suffix = ou=users
 ldap machine suffix = ou=computers
 passwd program = /usr/sbin/smbldap-passwd -u %u
 passwd chat = *Enter\snew\sUNIX\spassword:* %n\n 
*Retype\snew\sUNIX\spassword:* %n\n *password\supdated\ssuccessfully* .

 socket options = TCP_NODELAY
 domain master = yes
 local master = yes
 wins support = yes
 domain logons = yes
 preferred master = yes
 admin users = root admin
 security = user

Thanks and Regards
Bharat
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

[Samba] samba ldap problem

2009-07-20 Thread Mischa Diehm 
Hi,

we had this setup working for quite some time but after upgrading the
samba package things look different:

we now have the following samba/ldap setup:

samba-3.0.34p1-cups-ldap
openldap-server-2.3.43

the samba-ldap configuration is:
doing parameter ldap suffix = dc=foo,dc=ch
doing parameter ldap machine suffix = ou=Computers,ou=Samba,ou=system
doing parameter ldap user suffix = ou=Users,ou=Samba,ou=system
doing parameter ldap group suffix = ou=Groups,ou=Samba,ou=system
doing parameter ldap admin dn =
"cn=SambaAdmin,ou=Users,ou=OpenLDAP,ou=system,dc=foo,dc=ch"
doing parameter ldap delete dn = no
doing parameter ldap passwd sync = no
doing parameter ldap replication sleep = 6000
doing parameter ldap timeout = 120
doing parameter ldap ssl = No

when starting the smbd things look ok:
Attempting to find an passdb backend to match ldapsam:ldap://localhost/
(ldapsam)
Found pdb backend ldapsam
smbldap_search_domain_info: Searching
for:[(&(objectClass=sambaDomain)(sambaDomainName=EDUBS))]
smbldap_search_ext: base => [dc=edubs,dc=ch], filter =>
[(&(objectClass=sambaDomain)(sambaDomainName=EDUBS))], scope => [2]
The connection to the LDAP server was closed
smb_ldap_setup_connection: ldap://localhost/
smbldap_open_connection: connection opened
ldap_connect_system: Binding to ldap server ldap://localhost/ as
"cn=SambaAdmin,ou=Users,ou=OpenLDAP,ou=system,dc=edubs,dc=ch"
ldap_connect_system: successful connection to the LDAP server
ldap_connect_system: LDAP server does support paged results
The LDAP server is successfully connected
smbldap_get_single_attribute: [sambaAlgorithmicRidBase] = []
pdb backend ldapsam:ldap://localhost/ has a valid init


it seems the first connection works:
root:195# smbclient -L localhost -U foo.bar
Password: 
Anonymous login successful
Domain=[EDUBS] OS=[Unix] Server=[Samba 3.0.34]

Sharename   Type  Comment
-     ---
IPC$IPC   IPC Service (ICT Fileserver)
read_socket_with_timeout: timeout read. read error = Connection reset by peer.
Receiving SMB: Server stopped responding
session request to LOCALHOST failed (Read error: Connection reset by peer)
Error connecting to 127.0.0.1 (Connection refused)
Connection to localhost failed (Error NT_STATUS_CONNECTION_REFUSED)
NetBIOS over TCP disabled -- no workgroup available


but any connection afterwards fails with this:
root:199# smbclient -L localhost -U foo.bar
Password: 
Receiving SMB: Server stopped responding
session setup failed: Call returned zero bytes

in this state we don't see any packets going to the ldap server anymore.
Have you seen this behaviour or do you have any hints how we could debug
this better?

Thanks in advance,
Mischa Diehm
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] samba ldap problem

2009-07-17 Thread Johan Hendriks 


 Hi,

 we had this setup working for quite some time but after upgrading  
 the
 samba package things look different:

 we now have the following samba/ldap setup:

 samba-3.0.34p1-cups-ldap
 openldap-server-2.3.43

 the samba-ldap configuration is:
 doing parameter ldap suffix = dc=foo,dc=ch
 doing parameter ldap machine suffix =  
 ou=Computers,ou=Samba,ou=system
 snip
>>
 in this state we don't see any packets going to the ldap server
 anymore.
 Have you seen this behaviour or do you have any hints how we could
 debug
 this better?

>>
>>
>>> Very strange is also teh fact, that the first connection works, but
>>> gets interrupted in the middle somehow and then all subsequent
>>> attempts using smbclient fail:
>>
>>> root:13# pgrep smbd
>>> 4268
>>> 30945
>>> root:14# smbclient -U mbalmer -L tesla
>>> Password:
>>> Domain=[EDUBS] OS=[Unix] Server=[Samba 3.0.34]
>>> snip ..
>>
>>> This is on OpenBSD 4.4/i386, btw.
>>
>>> - Marc
>>
>> Did you copy the new samba schema file from the new samba version to

>> the
>> openldap scheme directory?
>> I had some strange problems once after a update and that was the  
>> case in
>> my situation.

>Yes I did that, but of course the additional fields in the SambaDomain

>object are empty.  Do I need to full them with some values?

>- Marc

As far as i know not, in my case the copy of schema file was enough, i
could not imagine why it needs altering.
I mean this file (On FreeBSD).
/usr/local/share/examples/samba/LDAP/samba.schema

And that needs to be copied to the loaction mentioned in your slapd.conf
file:
in my case:
include /usr/local/etc/openldap/schema/samba.schema

regards,
Johan

Checked by AVG - www.avg.com 
Version: 8.5.387 / Virus Database: 270.13.16/2240 - Release Date:
07/16/09 18:00:00
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] samba ldap problem

2009-07-17 Thread Marc Balmer 


Am 17.07.2009 um 13:55 schrieb Johan Hendriks:


Hi,

we had this setup working for quite some time but after upgrading  
the

samba package things look different:

we now have the following samba/ldap setup:

samba-3.0.34p1-cups-ldap
openldap-server-2.3.43

the samba-ldap configuration is:
doing parameter ldap suffix = dc=foo,dc=ch
doing parameter ldap machine suffix =  
ou=Computers,ou=Samba,ou=system

snip



in this state we don't see any packets going to the ldap server
anymore.
Have you seen this behaviour or do you have any hints how we could
debug
this better?





Very strange is also teh fact, that the first connection works, but
gets interrupted in the middle somehow and then all subsequent
attempts using smbclient fail:



root:13# pgrep smbd
4268
30945
root:14# smbclient -U mbalmer -L tesla
Password:
Domain=[EDUBS] OS=[Unix] Server=[Samba 3.0.34]
snip ..



This is on OpenBSD 4.4/i386, btw.



- Marc


Did you copy the new samba schema file from the new samba version to  
the

openldap scheme directory?
I had some strange problems once after a update and that was the  
case in

my situation.


Yes I did that, but of course the additional fields in the SambaDomain  
object are empty.  Do I need to full them with some values?


- Marc



Regards,
Johan


Checked by AVG - www.avg.com
Version: 8.5.387 / Virus Database: 270.13.16/2240 - Release Date:
07/16/09 18:00:00


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] samba ldap problem

2009-07-17 Thread Johan Hendriks 
>> Hi,
>>
>> we had this setup working for quite some time but after upgrading the
>> samba package things look different:
>>
>> we now have the following samba/ldap setup:
>>
>> samba-3.0.34p1-cups-ldap
>> openldap-server-2.3.43
>>
>> the samba-ldap configuration is:
>> doing parameter ldap suffix = dc=foo,dc=ch
>> doing parameter ldap machine suffix = ou=Computers,ou=Samba,ou=system
>>snip

>> in this state we don't see any packets going to the ldap server  
>> anymore.
>> Have you seen this behaviour or do you have any hints how we could  
>> debug
>> this better?
>>


>Very strange is also teh fact, that the first connection works, but  
>gets interrupted in the middle somehow and then all subsequent  
>attempts using smbclient fail:

>root:13# pgrep smbd
>4268
>30945
>root:14# smbclient -U mbalmer -L tesla
>Password:
>Domain=[EDUBS] OS=[Unix] Server=[Samba 3.0.34]
> snip ..

>This is on OpenBSD 4.4/i386, btw.

>- Marc

Did you copy the new samba schema file from the new samba version to the
openldap scheme directory?
I had some strange problems once after a update and that was the case in
my situation.

Regards,
Johan


Checked by AVG - www.avg.com 
Version: 8.5.387 / Virus Database: 270.13.16/2240 - Release Date:
07/16/09 18:00:00
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] samba ldap problem

2009-07-17 Thread Marc Balmer 


Am 16.07.2009 um 18:01 schrieb Mischa Diehm:


Hi,

we had this setup working for quite some time but after upgrading the
samba package things look different:

we now have the following samba/ldap setup:

samba-3.0.34p1-cups-ldap
openldap-server-2.3.43

the samba-ldap configuration is:
doing parameter ldap suffix = dc=foo,dc=ch
doing parameter ldap machine suffix = ou=Computers,ou=Samba,ou=system
doing parameter ldap user suffix = ou=Users,ou=Samba,ou=system
doing parameter ldap group suffix = ou=Groups,ou=Samba,ou=system
doing parameter ldap admin dn =
"cn=SambaAdmin,ou=Users,ou=OpenLDAP,ou=system,dc=foo,dc=ch"
doing parameter ldap delete dn = no
doing parameter ldap passwd sync = no
doing parameter ldap replication sleep = 6000
doing parameter ldap timeout = 120
doing parameter ldap ssl = No

when starting the smbd things look ok:
Attempting to find an passdb backend to match ldapsam:ldap:// 
localhost/

(ldapsam)
Found pdb backend ldapsam
smbldap_search_domain_info: Searching
for:[(&(objectClass=sambaDomain)(sambaDomainName=EDUBS))]
smbldap_search_ext: base => [dc=edubs,dc=ch], filter =>
[(&(objectClass=sambaDomain)(sambaDomainName=EDUBS))], scope => [2]
The connection to the LDAP server was closed
smb_ldap_setup_connection: ldap://localhost/
smbldap_open_connection: connection opened
ldap_connect_system: Binding to ldap server ldap://localhost/ as
"cn=SambaAdmin,ou=Users,ou=OpenLDAP,ou=system,dc=edubs,dc=ch"
ldap_connect_system: successful connection to the LDAP server
ldap_connect_system: LDAP server does support paged results
The LDAP server is successfully connected
smbldap_get_single_attribute: [sambaAlgorithmicRidBase] = []
pdb backend ldapsam:ldap://localhost/ has a valid init


it seems the first connection works:
root:195# smbclient -L localhost -U foo.bar
Password:
Anonymous login successful
Domain=[EDUBS] OS=[Unix] Server=[Samba 3.0.34]

   Sharename   Type  Comment
   -     ---
   IPC$IPC   IPC Service (ICT Fileserver)
read_socket_with_timeout: timeout read. read error = Connection  
reset by peer.

Receiving SMB: Server stopped responding
session request to LOCALHOST failed (Read error: Connection reset by  
peer)

Error connecting to 127.0.0.1 (Connection refused)
Connection to localhost failed (Error NT_STATUS_CONNECTION_REFUSED)
NetBIOS over TCP disabled -- no workgroup available


but any connection afterwards fails with this:
root:199# smbclient -L localhost -U foo.bar
Password:
Receiving SMB: Server stopped responding
session setup failed: Call returned zero bytes

in this state we don't see any packets going to the ldap server  
anymore.
Have you seen this behaviour or do you have any hints how we could  
debug

this better?




Very strange is also teh fact, that the first connection works, but  
gets interrupted in the middle somehow and then all subsequent  
attempts using smbclient fail:


root:13# pgrep smbd
4268
30945
root:14# smbclient -U mbalmer -L tesla
Password:
Domain=[EDUBS] OS=[Unix] Server=[Samba 3.0.34]

Sharename   Type  Comment
-     ---
IPC$IPC   IPC Service (ICT Fileserver)
mbalmer Disk  Home Directories
Receiving SMB: Server stopped responding
session setup failed: Call returned zero bytes (EOF)
NetBIOS over TCP disabled -- no workgroup available
root:15# smbclient -U mbalmer -L tesla
Password:
Receiving SMB: Server stopped responding
session setup failed: Call returned zero bytes (EOF)


This is on OpenBSD 4.4/i386, btw.

- Marc

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Samba & LDAP, with XP and Linux clients

2009-06-19 Thread Quinn Fissler 
As you probably realilse, the two separate areas are what samba requires in
ldap and what Linux requires - it's likely that you've only populated the
samba required stuff.

Think of ldap like a /etc/passwd file with many more columns. You only have
the columns for samba but most of the Linix/POSIX columns are missing.

There are many ways to deal with this! Too many :-/

but they're all fun :-)

ldapmodify is one to look at - you can adjust various items.

you could export the whole ldap db using slapcat and then tidy the whole
thing before importing it back...

I think that both require some extra steps and as soon as you look at them,
you'll see which approach suits you.





2009/6/19 Dave Beach 

> Hello list! I believe I may not have a Samba problem, but rather an LDAP
> directory problem. I'm hoping to be redirected towards a more appropriate
> mailing list to which I can post.
>
> I have a Slackware server running Samba and OpenLDAP, and my WinXP clients
> authenticate just fine. I migrated from an smbpasswd backend to OpenLDAP
> with a BD backend some time ago, using the migration tools provided with
> smbldap-tools. Everything has been working fine.
>
> I now want to bring a Ubuntu workstation online, and authenticate to the
> same LDAP database. I've understood that my previous approach was wrong
> (trying to somehow get the Ubuntu box to join the domain), and that I
> instead need to use nss and pam to point directly to the LDAP database on
> the Slackware server. So far, so good. Ubuntu packages sourced and
> installed.
>
> Executing "getent group" on the Ubuntu client produces the expected
> results.
> Executing "getent passwd" does not; it only shows me a subset of the user
> accounts (notably, not my own account which was created prior to
> migration).
> Fiddling about with a couple of Windows-based ldap query clients, I can see
> that there seem to be some differences between accounts that were created
> pre-migration and those created post-migration. As an example, accounts
> created post-migration seem to have different "objectClass" attributes and
> values associated with them than do accounts created pre-migration - and
> the
> post-migration accounts are all visible with "getent passwd" on the Ubuntu
> client. Also, the pre-migration accounts have the "account" objectClass
> associated with them, while the post-migration accounts have the "person"
> objectClass associated with them. The post-migration accounts also seem to
> have the "posixAccount" object class associated with them. There are other
> differences, but these strike me (in my ignorance) as possibly being the
> source of the problem.
>
> In case it isn't obvious, I have zero LDAP experience other than this
> futzing around I'm doing. It seems fairly obvious that I need to somehow
> alter the pre-migration accounts in some way to make them more like the
> post-migration accounts, such that I can then log onto the Ubuntu client
> with the same user ID with which I log onto the WinXp clients. I'm
> reluctant
> to do much so far, in fear that I'll manage to irreparably damage the
> pre-migration accounts (somehow lose the SID, etc) such that they'll need
> to
> be re-created, with all the pain that entails on the WinXP clients (I use
> local profiles only on the WinXP boxes).
>
> So, as I said, probably not a Samba problem per se. Would someone be so
> kind
> as to suggest the proper list in which I can post this problem?
>
> Thanks very much in advance.
>
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Samba & LDAP, with XP and Linux clients

2009-06-19 Thread Olivier Nicole 
To add a bit more, my users typically look like:

dn: uid=a103,ou=People,ou=csim,dc=cs,dc=ait,dc=ac,dc=th
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: top
objectClass: sambaSamAccount
cn: a103
sn: x
uid: a103
uidNumber: 5072
gidNumber: 95
homeDirectory: /home/a103
loginShell: /bin/sh
mail: a...@cs.ait.ac.th
givenName: 
gecos:  
userPassword: {md5}xx==
sambaSID: S-1-5-21-x-y-z-11144
sambaAcctFlags: [U  ]
sambaPasswordHistory: 

sambaPwdLastSet: 1243416344
sambaNTPassword: y

I think that Unix and samba authentication will not work with anything
less. sambaLMPassord will be necessary too for Win9x/Me
authentication.

Olivier
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Samba & LDAP, with XP and Linux clients

2009-06-19 Thread Olivier Nicole 
Hi,

> Executing "getent group" on the Ubuntu client produces the expected results.
> Executing "getent passwd" does not; it only shows me a subset of the user
> accounts (notably, not my own account which was created prior to migration).

I am running successfully with the user accounts having the objectClass:

 inetOrgPerson
 posixAccount
 shadowAccount
 top

I think that posixAccount is necessary. Typically, objectClass person
is not what you jneed to store a Unix account, you need to have home
directory, shell, uid number, gid number, etc. and password to
authenticate a Unix user with LDAP.

Adding an objectClass or Attributes to an enxisting entry of your LDAP
will not break anything that is already working.

Bests,

Olivier
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

[Samba] Samba & LDAP, with XP and Linux clients

2009-06-19 Thread Dave Beach 
Hello list! I believe I may not have a Samba problem, but rather an LDAP
directory problem. I'm hoping to be redirected towards a more appropriate
mailing list to which I can post.

I have a Slackware server running Samba and OpenLDAP, and my WinXP clients
authenticate just fine. I migrated from an smbpasswd backend to OpenLDAP
with a BD backend some time ago, using the migration tools provided with
smbldap-tools. Everything has been working fine.

I now want to bring a Ubuntu workstation online, and authenticate to the
same LDAP database. I've understood that my previous approach was wrong
(trying to somehow get the Ubuntu box to join the domain), and that I
instead need to use nss and pam to point directly to the LDAP database on
the Slackware server. So far, so good. Ubuntu packages sourced and
installed.

Executing "getent group" on the Ubuntu client produces the expected results.
Executing "getent passwd" does not; it only shows me a subset of the user
accounts (notably, not my own account which was created prior to migration).
Fiddling about with a couple of Windows-based ldap query clients, I can see
that there seem to be some differences between accounts that were created
pre-migration and those created post-migration. As an example, accounts
created post-migration seem to have different "objectClass" attributes and
values associated with them than do accounts created pre-migration - and the
post-migration accounts are all visible with "getent passwd" on the Ubuntu
client. Also, the pre-migration accounts have the "account" objectClass
associated with them, while the post-migration accounts have the "person"
objectClass associated with them. The post-migration accounts also seem to
have the "posixAccount" object class associated with them. There are other
differences, but these strike me (in my ignorance) as possibly being the
source of the problem.

In case it isn't obvious, I have zero LDAP experience other than this
futzing around I'm doing. It seems fairly obvious that I need to somehow
alter the pre-migration accounts in some way to make them more like the
post-migration accounts, such that I can then log onto the Ubuntu client
with the same user ID with which I log onto the WinXp clients. I'm reluctant
to do much so far, in fear that I'll manage to irreparably damage the
pre-migration accounts (somehow lose the SID, etc) such that they'll need to
be re-created, with all the pain that entails on the WinXP clients (I use
local profiles only on the WinXP boxes).

So, as I said, probably not a Samba problem per se. Would someone be so kind
as to suggest the proper list in which I can post this problem?

Thanks very much in advance.



-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Samba + LDAP + IIS = massive memory usage

2009-06-11 Thread Volker Lendecke 
On Sat, May 16, 2009 at 09:40:16AM +0100, Martin Edwards wrote:
> It looks like we've fixed this.  It seems msdfs is on by default.  By chance
> I disabled it:
> 
> host msdfs = no
> 
> No more memory leak!
> 
> At some point I will endeavour to recreate the old problem on a test box and
> find out why msdfs causes the memory leak and report back to the list.

Any news here?

Thanks,

Volker


pgpzl29SJFaqo.pgp
Description: PGP signature
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Samba+Ldap problems

2009-06-03 Thread Tim Bates 

dogbert wrote:

Ok, a little update on this issue.
I've changed the various common-* within /etc/pam.d and I've obtained 
the following.
Now I can connect with ssh or su with a user defined in ldap as long 
as this user is present also in /etc/passwd.
It seems that the system check for the user account in /etc/passwd and 
then it check for password under ldap.
Now if a user try to change his password (with the passwd command) it 
works through ldap.
While using "getent passwd" I still obtain only the users contained in 
/etc/passwd.

I'd suggest having a good read of this page:
https://help.ubuntu.com/community/LDAPClientAuthentication

If you're still having no LDAP results show up with getent, then there's 
issues with nsswitch still. The nsswitch.conf you sent me looks right, 
so I'd put my money on a problem in your ldap client settings. Check 
/etc/ldap.conf and /etc/ldap/ldap.conf and make sure anything set there 
is correct. Also check that a basedn is set in one of them and the host 
is set correctly.


You may also want to check you can access the LDAP data from an LDAP 
viewer... I use phpldapadmin to check actual content, and LAM to manage 
accounts. But any LDAP client that shows the tree will help.


TB

**
This message is intended for the addressee named and may contain
privileged information or confidential information or both. If you
are not the intended recipient please delete it and notify the sender.
**
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Samba+Ldap problems

2009-06-03 Thread dogbert 

Ok, a little update on this issue.
I've changed the various common-* within /etc/pam.d and I've obtained the 
following.
Now I can connect with ssh or su with a user defined in ldap as long as this 
user is present also in /etc/passwd.
It seems that the system check for the user account in /etc/passwd and then it 
check for password under ldap.
Now if a user try to change his password (with the passwd command) it works 
through ldap.

While using "getent passwd" I still obtain only the users contained in 
/etc/passwd.
These are my /etc/pam.d files:

COMMON-AUTH:
authsufficient  pam_ldap.so
authrequiredpam_unix.so nullok_secure use_first_pass
authrequisite   pam_deny.so
authrequiredpam_permit.so
authoptionalpam_smbpass.so migrate

COMMON-ACCOUNT:
account sufficient  pam_ldap.so
account requiredpam_unix.so
account requisite   pam_deny.so
account requiredpam_permit.so

COMMON-PASSWORD:
passwordsufficient  pam_ldap.so
passwordrequiredpam_unix.so nullok obscure min=4 max=8 md5
passwordrequisite   pam_deny.so
passwordrequiredpam_permit.so
passwordoptionalpam_smbpass.so nullok 
use_authtok use_first_pass


COMMON-SESSION:
session [default=1] pam_permit.so
session requisite   pam_deny.so
session requiredpam_permit.so
session requiredpam_unix.so
session optionalpam_ldap.so
session optionalpam_ck_connector.so nox11

SSHD:
auth   required pam_env.so # [1]
auth   required pam_env.so envfile=/etc/default/locale
@include common-auth
accountrequired pam_nologin.so
@include common-account
@include common-session
sessionoptional pam_motd.so # [1]
sessionoptional pam_mail.so standard noenv # [1]
sessionrequired pam_limits.so
@include common-password

LOGIN:
auth   requisite  pam_securetty.so
auth   requisite  pam_nologin.so
sessionrequired   pam_selinux.so close
session   required   pam_env.so readenv=1
session   required   pam_env.so readenv=1 envfile=/etc/default/locale
@include common-auth
auth   optional   pam_group.so
sessionrequired   pam_limits.so
sessionoptional   pam_lastlog.so
sessionoptional   pam_motd.so
sessionoptional   pam_mail.so standard
@include common-account
@include common-session
@include common-password
session required pam_selinux.so open

SU:
auth   sufficient pam_rootok.so
session   required   pam_env.so readenv=1
session   required   pam_env.so readenv=1 envfile=/etc/default/locale
sessionoptional   pam_mail.so nopen
@include common-auth
@include common-account
@include common-session

SAMBA:
@include common-auth
@include common-account
@include common-session


Tim Bates wrote:

dogb...@infinito.it wrote:

Thanks Oliver,
I will check all the files in /etc/pam.d
  

Check /etc/nsswitch.conf first. I think it may be your first problem.

I think that if I can succeed in authenticating via shell or ssh I can 
then

rule-out pam issues and work on samba configuration.
You need that working before you can start the Samba stages. Samba needs 
those accounts working before it can work properly.


TB



--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Samba+Ldap problems

2009-06-03 Thread Tim Bates 

dogb...@infinito.it wrote:

Thanks Oliver,
I will check all the files in /etc/pam.d
  

Check /etc/nsswitch.conf first. I think it may be your first problem.


I think that if I can succeed in authenticating via shell or ssh I can then
rule-out pam issues and work on samba configuration.
You need that working before you can start the Samba stages. Samba needs 
those accounts working before it can work properly.


TB
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Samba+Ldap problems

2009-06-03 Thread dogbert 
Thanks Oliver,
I will check all the files in /etc/pam.d

My problems are with samba, but after a little troubleshooting I think that
some of them are originated at PAM/Ldap level, so I'm checking this first.
I've followed the guide taken from Ubuntu site:
https://help.ubuntu.com/8.10/serverguide/C/network-authentication.html

I think that if I can succeed in authenticating via shell or ssh I can then
rule-out pam issues and work on samba configuration.

Thanks,
Riccardo

- Original Message 
Da: Olivier Nicole 
To: 
Cc: samba@lists.samba.org
Oggetto: Re: [Samba] Samba+Ldap problems
Data: 03/06/09 12:42

> 
> 
> Hi,
> 
> > I'm trying to use it to
> > login via ssh. This user cannot authenticate.
> > Here is the result from auth.log and some configurations files
> 
> This is not a samba problem but a SSH/Ubuntu/Ldap problem :)
> 
> You need both packages pam_ldap AND nss_ldap.
> 
> You need to configure both (configuration is very similar, but there
> may be some differences).
> 
> To give a brief explanation:
> 
> pam_ldap is used by ssh (you need to configure /etc/pam.d/ssh !) to
> accept the username and password
> 
> nss_ldap is used by thing slike getent, or to show your correct
> username and group when you do a "ls -l"
> 
> Now it much depends how your LDAP tree is organized, so I cannot give
> much more advise; what is the objectClass you use for your users? I am
> surprised to see that user and password belongs to different place in
> the LDAP tree. I am also surprised that the /etc/pam.d example you
> give do not contain a single reference to ldap...
> 
> There are good how-to floating on Google, that work you step by step.
> 
> 
> Best regards,
> 
> Olivier
> 


-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Samba+Ldap problems

2009-06-03 Thread Olivier Nicole 
Hi,

> I'm trying to use it to
> login via ssh. This user cannot authenticate.
> Here is the result from auth.log and some configurations files

This is not a samba problem but a SSH/Ubuntu/Ldap problem :)

You need both packages pam_ldap AND nss_ldap.

You need to configure both (configuration is very similar, but there
may be some differences).

To give a brief explanation:

pam_ldap is used by ssh (you need to configure /etc/pam.d/ssh !) to
accept the username and password

nss_ldap is used by thing slike getent, or to show your correct
username and group when you do a "ls -l"

Now it much depends how your LDAP tree is organized, so I cannot give
much more advise; what is the objectClass you use for your users? I am
surprised to see that user and password belongs to different place in
the LDAP tree. I am also surprised that the /etc/pam.d example you
give do not contain a single reference to ldap...

There are good how-to floating on Google, that work you step by step.


Best regards,

Olivier
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

[Samba] Samba+Ldap problems

2009-06-03 Thread dogbert 
I'm trying to trobuleshoot my previuos problem from the basics.

I've a box setup with Ubuntu, samba and ldap. I have a lot of problems with
user authentications.
I'm checking if LDAP and PAM ar working together. I've added an user to ldap
with smbldap-useradd command (as posix account) and I'm trying to use it to
login via ssh. This user cannot authenticate.
Here is the result from auth.log and some configurations files:

Jun  3 11:02:37 localserver sshd[27372]: Invalid user testmio from
192.168.10.1
Jun  3 11:02:37 localserver sshd[27372]: Failed none for invalid user
testmio from 192.168.10.1 port 44352 ssh2
Jun  3 11:02:39 localserver sshd[27372]: pam_unix(sshd:auth): check pass;
user unknown
Jun  3 11:02:39 localserver sshd[27372]: pam_unix(sshd:auth): authentication
failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=remoteclient.domain.it
Jun  3 11:02:39 localserver sshd[27372]: pam_ldap: error trying to bind as
user "uid=testmio,ou=Users,dc=domain,dc=it" (Invalid credentials)
Jun  3 11:02:41 localserver sshd[27372]: Failed password for invalid user
testmio from 192.168.10.1 port 44352 ssh2

If I use the command "getent passwd" I obtain only the account present in
/etc/passwd file and none of those included in ldap.

/etc/pam.conf is empty

# /etc/pam.d/samba
@include common-auth
@include common-account
@include common-session


# etc/pam.d/login
auth requisite pam_securetty.so
auth requisite pam_nologin.so
session required pam_selinux.so close
session required pam_env.so readenv=1
session required pam_env.so readenv=1 envfile=/etc/default/locale
@include common-auth
auth optional pam_group.so
session required pam_limits.so
session optional pam_lastlog.so
session optional pam_motd.so
session optional pam_mail.so standard
@include common-account
@include common-session
@include common-password
session required pam_selinux.so open


# /etc/nsswitch.conf
passwd: files ldap
shadow: files ldap
group: files ldap
hosts: files mdns4_minimal [NOTFOUND=return] dns mdns4
networks: files
protocols: db files
services: db files
ethers: db files
rpc: db files
netgroup: nis

ldap.conf contains the following directives:
nss_base_passwdou=Users,dc=domain,dc=it?one
nss_base_passwdou=Computers,dc=domain,dc=it?one
nss_base_shadowou=Users,dc=domain,dc=it?one
nss_base_group ou=Groups,dc=domain,dc=it?one




-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Samba + LDAP + IIS = massive memory usage

2009-05-16 Thread Volker Lendecke 
On Sat, May 16, 2009 at 09:40:16AM +0100, Martin Edwards wrote:
> It looks like we've fixed this.  It seems msdfs is on by default.  By chance
> I disabled it:
> 
> host msdfs = no
> 
> No more memory leak!
> 
> At some point I will endeavour to recreate the old problem on a test box and
> find out why msdfs causes the memory leak and report back to the list.
> 
> Thank you for all your help.

Thanks a lot for that feedback!

If you can, please run that test box with valgrind --tool=memcheck

If you need any assistance with this, feel free to ask! I
*really* want to fix this :-)

Volker


pgpBMSwr6Xws0.pgp
Description: PGP signature
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Samba + LDAP + IIS = massive memory usage

2009-05-16 Thread Martin Edwards 
It looks like we've fixed this.  It seems msdfs is on by default.  By chance
I disabled it:

host msdfs = no

No more memory leak!

At some point I will endeavour to recreate the old problem on a test box and
find out why msdfs causes the memory leak and report back to the list.

Thank you for all your help.

On Mon, May 11, 2009 at 10:00 PM, Martin Edwards <
martin.f.edwa...@googlemail.com> wrote:

> We will endeavour to do this on a test system in the next few days.
>
> Thanks once again for your assistance.
>
>
> On Mon, May 11, 2009 at 10:18 AM, Volker Lendecke <
> volker.lende...@sernet.de> wrote:
>
>> On Mon, May 11, 2009 at 10:11:50AM +0100, Martin Edwards wrote:
>> > Do you think notifies could be responsible for the memory leak?  Despite
>> > there being all of those entries they don't add up to anything like the
>> > usage of the process.
>>
>> It might be possible that we have a leak somewhere around
>> the notifies. Notifies are an operation that normal clients
>> do a lot less than IIS, that's why I think it might be that.
>>
>> Do you see a chance to run a test smbd with comparable load
>> under valgrind? This would almost 100% show the real leak.
>>
>> Volker
>>
>
>
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Samba + LDAP + IIS = massive memory usage

2009-05-11 Thread Martin Edwards 
We will endeavour to do this on a test system in the next few days.

Thanks once again for your assistance.

On Mon, May 11, 2009 at 10:18 AM, Volker Lendecke  wrote:

> On Mon, May 11, 2009 at 10:11:50AM +0100, Martin Edwards wrote:
> > Do you think notifies could be responsible for the memory leak?  Despite
> > there being all of those entries they don't add up to anything like the
> > usage of the process.
>
> It might be possible that we have a leak somewhere around
> the notifies. Notifies are an operation that normal clients
> do a lot less than IIS, that's why I think it might be that.
>
> Do you see a chance to run a test smbd with comparable load
> under valgrind? This would almost 100% show the real leak.
>
> Volker
>
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Samba + LDAP + IIS = massive memory usage

2009-05-11 Thread Volker Lendecke 
On Mon, May 11, 2009 at 10:11:50AM +0100, Martin Edwards wrote:
> Do you think notifies could be responsible for the memory leak?  Despite
> there being all of those entries they don't add up to anything like the
> usage of the process.

It might be possible that we have a leak somewhere around
the notifies. Notifies are an operation that normal clients
do a lot less than IIS, that's why I think it might be that.

Do you see a chance to run a test smbd with comparable load
under valgrind? This would almost 100% show the real leak.

Volker


pgpTcqf13opXy.pgp
Description: PGP signature
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Samba + LDAP + IIS = massive memory usage

2009-05-11 Thread Martin Edwards 
Do you think notifies could be responsible for the memory leak?  Despite
there being all of those entries they don't add up to anything like the
usage of the process.


On Mon, May 11, 2009 at 9:55 AM, Volker Lendecke
wrote:

> On Mon, May 11, 2009 at 09:31:48AM +0100, Martin Edwards wrote:
> > Sorry it's taken so long to reply.  The pool-usage output for one such
> > process is here:
> >
> > http://samba.dreamhosters.com/pool-usage.txt
>
> Thanks for that output! It seems we need to do something
> with notifies.
>
> Volker
>
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Samba + LDAP + IIS = massive memory usage

2009-05-11 Thread Volker Lendecke 
On Mon, May 11, 2009 at 09:31:48AM +0100, Martin Edwards wrote:
> Sorry it's taken so long to reply.  The pool-usage output for one such
> process is here:
> 
> http://samba.dreamhosters.com/pool-usage.txt

Thanks for that output! It seems we need to do something
with notifies.

Volker


pgphuQblNMmWy.pgp
Description: PGP signature
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Samba + LDAP + IIS = massive memory usage

2009-05-11 Thread Martin Edwards 
Samba version is 3.3.3.

On Mon, May 11, 2009 at 9:31 AM, Martin Edwards <
martin.f.edwa...@googlemail.com> wrote:

> Sorry it's taken so long to reply.  The pool-usage output for one such
> process is here:
>
> http://samba.dreamhosters.com/pool-usage.txt
>
> The problem has been mitigated somewhat just by giving the box more RAM but
> it's very frustrating.
>
>
> On Sat, May 2, 2009 at 9:31 AM, Volker Lendecke  > wrote:
>
>> On Fri, May 01, 2009 at 11:52:13PM +0100, Martin Edwards wrote:
>> > (Sorry, I meant to send this to the list first time around)
>> >
>> > Thanks very much for that.
>> >
>> > On a thread using 1.2GB pool-usage reports:
>> >
>> > full talloc report on 'null_context' (total 5898052 bytes in 39825
>> blocks)
>> >
>> > There are thousands of lib/charcnv.c:601 entries but all using only 1
>> block
>> > each.
>>
>> Can you post the whole output somewhere? Which exact Samba
>> version was this (needed for the line number)?  You wrote
>> that it happens with many versions. And, this obviously does
>> not account for 1.2GB, so there must be something else.
>>
>> Volker
>>
>
>
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Samba + LDAP + IIS = massive memory usage

2009-05-11 Thread Martin Edwards 
Sorry it's taken so long to reply.  The pool-usage output for one such
process is here:

http://samba.dreamhosters.com/pool-usage.txt

The problem has been mitigated somewhat just by giving the box more RAM but
it's very frustrating.

On Sat, May 2, 2009 at 9:31 AM, Volker Lendecke
wrote:

> On Fri, May 01, 2009 at 11:52:13PM +0100, Martin Edwards wrote:
> > (Sorry, I meant to send this to the list first time around)
> >
> > Thanks very much for that.
> >
> > On a thread using 1.2GB pool-usage reports:
> >
> > full talloc report on 'null_context' (total 5898052 bytes in 39825
> blocks)
> >
> > There are thousands of lib/charcnv.c:601 entries but all using only 1
> block
> > each.
>
> Can you post the whole output somewhere? Which exact Samba
> version was this (needed for the line number)?  You wrote
> that it happens with many versions. And, this obviously does
> not account for 1.2GB, so there must be something else.
>
> Volker
>
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Samba + LDAP + IIS = massive memory usage

2009-05-02 Thread Volker Lendecke 
On Fri, May 01, 2009 at 11:52:13PM +0100, Martin Edwards wrote:
> (Sorry, I meant to send this to the list first time around)
> 
> Thanks very much for that.
> 
> On a thread using 1.2GB pool-usage reports:
> 
> full talloc report on 'null_context' (total 5898052 bytes in 39825 blocks)
> 
> There are thousands of lib/charcnv.c:601 entries but all using only 1 block
> each.

Can you post the whole output somewhere? Which exact Samba
version was this (needed for the line number)?  You wrote
that it happens with many versions. And, this obviously does
not account for 1.2GB, so there must be something else.

Volker


pgpJSlylMaGF4.pgp
Description: PGP signature
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Samba + LDAP + IIS = massive memory usage

2009-05-01 Thread Martin Edwards 
(Sorry, I meant to send this to the list first time around)

Thanks very much for that.

On a thread using 1.2GB pool-usage reports:

full talloc report on 'null_context' (total 5898052 bytes in 39825 blocks)

There are thousands of lib/charcnv.c:601 entries but all using only 1 block
each.

On Fri, May 1, 2009 at 9:29 AM, Volker Lendecke
wrote:

> On Thu, Apr 30, 2009 at 02:55:46PM +0100, Martin Edwards wrote:
> > I'm not sure if this is a bug or a problem we are causing which is why
> I'm
> > posting to the list first in the hope that someone else might have come
> > across it.
> >
> > We have been using Samba quite successfully for a number of years.
>  However,
> > with this new setup we have a problem.
> >
> > We're using Samba as a backend for a web farm - 6 or 7 Windows servers
> > running IIS with all the website data under UNC paths and all the
> anonymous
> > web users and app pools running as domain users.
> >
> > Samba itself uses an LDAP backend.
> >
> > This setup works very nicely for our needs however we have an issue in
> that
> > each Samba process belonging to one of the web servers seems to consume
> RAM
> > indefinitely until it is killed.  When the servers are busy each thread
> can
> > use 1GB in 20 minutes.
> >
> > Obviously this is extremely abnormal memory usage.
> >
> > My only guess is that, when a page is requested on a website and not
> found,
> > Samba allocates the memory and does not free it?
> >
> > We have tried Samba 3.0, 3.2 and 3.3 (various iterations) and have
> > experienced exactly the same problem.
> >
> > Can anyone offer any insight.  I would be most grateful.
>
> Two steps: Can you run "smbcontrol  pool-usage" on a
> moderately large smbd and send the result? If that does not
> show anything suspicious, we will ask you to run it under
> valgrind --tool=memcheck. Be aware that this *significantly*
> slows down operation, so you might need some kind of plan
> how to do this. But it is the safest way to find out
> what's going on.
>
> Volker
>
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Samba + LDAP + IIS = massive memory usage

2009-05-01 Thread Volker Lendecke 
On Thu, Apr 30, 2009 at 02:55:46PM +0100, Martin Edwards wrote:
> I'm not sure if this is a bug or a problem we are causing which is why I'm
> posting to the list first in the hope that someone else might have come
> across it.
> 
> We have been using Samba quite successfully for a number of years.  However,
> with this new setup we have a problem.
> 
> We're using Samba as a backend for a web farm - 6 or 7 Windows servers
> running IIS with all the website data under UNC paths and all the anonymous
> web users and app pools running as domain users.
> 
> Samba itself uses an LDAP backend.
> 
> This setup works very nicely for our needs however we have an issue in that
> each Samba process belonging to one of the web servers seems to consume RAM
> indefinitely until it is killed.  When the servers are busy each thread can
> use 1GB in 20 minutes.
> 
> Obviously this is extremely abnormal memory usage.
> 
> My only guess is that, when a page is requested on a website and not found,
> Samba allocates the memory and does not free it?
> 
> We have tried Samba 3.0, 3.2 and 3.3 (various iterations) and have
> experienced exactly the same problem.
> 
> Can anyone offer any insight.  I would be most grateful.

Two steps: Can you run "smbcontrol  pool-usage" on a
moderately large smbd and send the result? If that does not
show anything suspicious, we will ask you to run it under
valgrind --tool=memcheck. Be aware that this *significantly*
slows down operation, so you might need some kind of plan
how to do this. But it is the safest way to find out
what's going on.

Volker


pgpW4uTTjVPJv.pgp
Description: PGP signature
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

[Samba] Samba + LDAP + IIS = massive memory usage

2009-04-30 Thread Martin Edwards 
Dear readers,

I'm not sure if this is a bug or a problem we are causing which is why I'm
posting to the list first in the hope that someone else might have come
across it.

We have been using Samba quite successfully for a number of years.  However,
with this new setup we have a problem.

We're using Samba as a backend for a web farm - 6 or 7 Windows servers
running IIS with all the website data under UNC paths and all the anonymous
web users and app pools running as domain users.

Samba itself uses an LDAP backend.

This setup works very nicely for our needs however we have an issue in that
each Samba process belonging to one of the web servers seems to consume RAM
indefinitely until it is killed.  When the servers are busy each thread can
use 1GB in 20 minutes.

Obviously this is extremely abnormal memory usage.

My only guess is that, when a page is requested on a website and not found,
Samba allocates the memory and does not free it?

We have tried Samba 3.0, 3.2 and 3.3 (various iterations) and have
experienced exactly the same problem.

Can anyone offer any insight.  I would be most grateful.

Martin.

[global]
csc policy = disable
deadtime = 25
dead time = 25
admin users = root
max mux = 500
max open files = 500
workgroup = PWMDERBY
netbios name = GAR
enable privileges = yes
smb ports = 139 445
server string = Samba Server %v
security = user
encrypt passwords = Yes
obey pam restrictions = No
ldap passwd sync = Yes
ldap timeout = 5
log level = 0
syslog = 0
log file = /var/log/samba/log.%m
max log size = 500
time server = Yes
socket options = TCP_NODELAY SO_KEEPALIVE SO_RCVBUF=8192
SO_SNDBUF=8192
mangling method = hash2
Dos charset = 850
Unix charset = ISO8859-1

domain logons = Yes
os level = 255
preferred master = Yes
domain master = Yes
wins support = Yes
passdb backend = ldapsam:"ldap://192.168.1.4";
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Samba + LDAP

2009-04-28 Thread Volker Lendecke 
On Tue, Apr 28, 2009 at 11:39:48AM +0200, Vladimir Psenicka wrote:
> I have questions about Samba and LDAP.
> 
> I have samba configured as PDC with ldap, users and groups are in ldap,
> functional. I want to add another server as member server, I configured
> samba on that server with users/groups authentication against ldap on
> PDC, functional.
> 
> But I see this in ldap root:
> sambaDomainname=DOMAIN
> *sambaDomainname=HOSTNAME_OF_MEMBER_SERVER*
> 
> Why is member server creating sambaDomainname=HOSTNAME_OF_MEMBER_SERVER
> entry in ldap root? Is this needed for servers trusts?

Every machine with "passdb backend = ldapsam" creates its
own entry, as every machine has its own user database. This
is very much like the local SAM on Windows workstations
where you can log in as local administrator. This won't
happen if you don't set "passdb backend = ldapsam" and join
the servers into the domain.

Volker


pgp2en8gKwPVM.pgp
Description: PGP signature
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

[Samba] Samba + LDAP

2009-04-28 Thread Vladimir Psenicka 
Hi

I have questions about Samba and LDAP.

I have samba configured as PDC with ldap, users and groups are in ldap,
functional. I want to add another server as member server, I configured
samba on that server with users/groups authentication against ldap on
PDC, functional.

But I see this in ldap root:
sambaDomainname=DOMAIN
*sambaDomainname=HOSTNAME_OF_MEMBER_SERVER*

Why is member server creating sambaDomainname=HOSTNAME_OF_MEMBER_SERVER
entry in ldap root? Is this needed for servers trusts?

Thanks

-- 
Vladimir Psenicka
IT system engineer
Prodeco a.s.
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Samba + LDAP = SLOW Help plesase

2009-04-02 Thread Ray Klassen 
mysterious slowness sometimes has a timing out name service at its
back. Is WINS enabled on your server? Do the clients look to your
server as their WINS server? If a WINS lookup fails and then the
clients revert back to broadcast based name resolution, the symptoms
could be similar to what you're seeing.

On Thu, Apr 2, 2009 at 12:20 AM, Grey Karapetyan
 wrote:
> Thanks for answers!
> but i use a Fedora Directory Server.
>
> i try answer on your questions:
> << what indexes do you have in slapd.conf?  what hardware is the server
> running on?
> Core2Quad/8gb ddr2
>
> < just OK. also. would you mind runing slapindex on the server (turn off
> OpenLDAP first)?, then try if it affected your pdc performance
>
> Sorry but i use FDS here is no config. All parametrs places in db. Any
> concrete parametrs i should show you?
>
> < have a reasonable DB-CONFIG file or are you asserting reasonable DB values
> via cn=config? But these are all OpenLDAP questions and not specific to
> Samba. Test your DSA to see if it is fast enough, then move back to testing
> Samba.
>
> This OpenLpad-specific parametrs?
> If i use getent passwd | grep -i username - works realy fast (1-2 seconds).
> (From my Samba server)
>
>
> =
> News:
> Now shares shows and opens fast.
>
> But printers from windows clients (when getting status printer) as before
> SLOW.
> Then i create local user on Samba server and disable ldap backend - printers
> works fast too.
>
> =
> in man smb.conf find 2 params
>  ldapsam:trusted=yes
>  ldapsam:editposix=yes
>
> somebodey use this?
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Samba + LDAP = SLOW Help plesase

2009-04-02 Thread Grey Karapetyan 
Thanks for answers!
but i use a Fedora Directory Server.

i try answer on your questions:
<< what indexes do you have in slapd.conf?  what hardware is the server
running on?
Core2Quad/8gb ddr2

Re: [Samba] Samba + LDAP = SLOW Help plesase

2009-04-01 Thread Adam Tauno Williams 
 wrote:
>what indexes do you have in slapd.conf?  what hardware is the server 
>running on?

More important than anything else is your Berkley environment.  Do you have 
a reasonable DB-CONFIG file or are you asserting reasonable DB values via 
cn=config?  But these are all OpenLDAP questions and not specific to Samba. 
 Test your DSA to see if it is fast enough, then move back to testing 
Samba.
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Samba + LDAP = SLOW Help plesase

2009-04-01 Thread Victor Medina 
would you copy your slapd.conf  to us? the index section only would be just OK.

also. would you mind runing slapindex on the server (turn off OpenLDAP
first)?, then try if it affected your pdc performance

Victor Medina

Bob Hope  - "You know you are getting old when the candles cost more
than the cake."


On Thu, Apr 2, 2009 at 12:50 PM, Adam Williams
 wrote:
> what indexes do you have in slapd.conf?  what hardware is the server running
> on?
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Samba + LDAP = SLOW Help plesase

2009-04-01 Thread Adam Williams 
what indexes do you have in slapd.conf?  what hardware is the server 
running on?

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Samba + LDAP = SLOW Help plesase

2009-04-01 Thread David Wells 

Grey Karapetyan wrote:

Hi Guys!
Samba suspiciously slow

i have:
CentOS 5.2 final
Samba 3.0.28-0.e15.8


LDAP server placed on anoter (not Samba) Server
In ldap container "ou=Users" about 5000 entries

When Windows client's connect to samba - Authentification process S.L.O.W.
(about 20-30 seconds).
When number entries less - performance grow (when 10 users -
authentification process go 1-2 seconds)

How i can tune up performance?

==
smb.conf


[global]
log file = /var/log/samba/samba.log.%m
log level = 3
domain logons = no
domain master = no
local master = no
preferred master = no
wins support = no
dns proxy = no
os level = 0
#   server setup ---
netbios name = testsrv
workgroup = TEST
security = user
passdb backend = ldapsam:ldap://x.x.x.x
ldap admin dn = cn=Directory Manager
ldap group suffix = ou=NTGroups
ldap idmap suffix = ou=Idmap
ldap suffix = dc=test
ldap user suffix = ou=Users
#   print setup ---
load printers = yes
printing = cups
printcap = cups
use client driver = yes
[printers]
comment = All Printers
path = /var/spool/samba
readonly = no
browseable = no
guest ok = yes
writable = no
printable = yes
[print$]
comment = Printer Driver Download Area
path = /etc/samba/drivers
browseable = yes
guest ok = yes
read only = yes


/etc/ldap.conf

uri ldap://x.x.x.x
basedc=test

binddn cn=Directory Manager
bindpw 


#pam_passwordexop
#pam_filter  objectclass=sambaSamAccount

nss_base_passwd ou=Users,dc=test
nss_base_shadow ou=Users,dc=test
nss_base_group ou=NTGroups,dc=test
ssl no
  
I would bet this is not a samba issue but an LDAP issue, specifically in 
the indexing of your database


Greetings,
David Wells.

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

[Samba] Samba + LDAP = SLOW Help plesase

2009-04-01 Thread Grey Karapetyan 
Hi Guys!
Samba suspiciously slow

i have:
CentOS 5.2 final
Samba 3.0.28-0.e15.8


LDAP server placed on anoter (not Samba) Server
In ldap container "ou=Users" about 5000 entries

When Windows client's connect to samba - Authentification process S.L.O.W.
(about 20-30 seconds).
When number entries less - performance grow (when 10 users -
authentification process go 1-2 seconds)

How i can tune up performance?

==
smb.conf


[global]
log file = /var/log/samba/samba.log.%m
log level = 3
domain logons = no
domain master = no
local master = no
preferred master = no
wins support = no
dns proxy = no
os level = 0
#   server setup ---
netbios name = testsrv
workgroup = TEST
security = user
passdb backend = ldapsam:ldap://x.x.x.x
ldap admin dn = cn=Directory Manager
ldap group suffix = ou=NTGroups
ldap idmap suffix = ou=Idmap
ldap suffix = dc=test
ldap user suffix = ou=Users
#   print setup ---
load printers = yes
printing = cups
printcap = cups
use client driver = yes
[printers]
comment = All Printers
path = /var/spool/samba
readonly = no
browseable = no
guest ok = yes
writable = no
printable = yes
[print$]
comment = Printer Driver Download Area
path = /etc/samba/drivers
browseable = yes
guest ok = yes
read only = yes


/etc/ldap.conf

uri ldap://x.x.x.x
basedc=test

binddn cn=Directory Manager
bindpw 


#pam_passwordexop
#pam_filter  objectclass=sambaSamAccount

nss_base_passwd ou=Users,dc=test
nss_base_shadow ou=Users,dc=test
nss_base_group ou=NTGroups,dc=test
ssl no
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Samba/LDAP Backend: Error NT_STATUS_CONNECTION_REFUSED

2009-03-27 Thread Todd E Thomas 
the answers follow the questions below:

did you run testparm -s and look for errors in smb.conf?
---
  Yes, I ran this a 1000 times. The answer: run it 1,001 times-
  There was a problem with wins
wins support = yes
wins server = 10.0.0.14
I kept wins server as that was in a sample at samba.org:
http://wiki.samba.org/index.php/1.0._Configuring_Samba#1.1._smb.conf_PDC

testparm -s now executes without error.
Loaded services file OK.
Server role: ROLE_DOMAIN_PDC
===

you don't need these two lines in smb.conf anymore:
  passwd program = /usr/bin/passwd %u
  passwd chat = *Enter\snew\sUNIX\spassword:* %n\n 
*Retype\snew\sUNIX\spassword:* %n\n *password\supdated\ssuccessfully* .

since you are using ldap and have ldap passwd sync = yes
---
This I found in the walk-through for combining samba/zimbra. I'm a bit novice
so I ran with it:
http://wiki.zimbra.com/index.php?title=UNIX_and_Windows_Accounts_in_Zimbra_LDAP_and_Zimbra_Admin_UI#Configuring_Samba

I'll try to create a few new users without these lines.
===

also, your ldap admin dn is wrong.  what is it in your slapd.conf file? 
it should be something like  ldap admin dn = 
cn=Manager,dc=zmail,dc=ptest,dc=us
---
Actually this is correct for the zimbra implementation of openldap. I don't 
agree with getting so far away from a 'normal' OpenLDAP config but they must
have run into a snag along the way that necessitated this change.
===

did you do smbpasswd -w
---
Yes. It worked as expected. 
===

The error still persists.

# service smb status
smbd dead but pid file exists
nmbd (pid 31030) is running...

It only stays on for a few minutes after you start it, then dies. There is 
nothing dropped in any log. This makes me think that whatever it is - is fatal; 
for the life of me I can't imagine what would cause that.

T




--- awill...@mdah.state.ms.us wrote:

From: Adam Williams 
To: todd_...@ssiresults.com
CC: samba@lists.samba.org
Subject: Re: [Samba] Samba/LDAP Backend: Error NT_STATUS_CONNECTION_REFUSED
Date: Fri, 27 Mar 2009 08:43:24 -0500

did you run testparm -s and look for errors in smb.conf? 

you don't need these two lines in smb.conf anymore:

  passwd program = /usr/bin/passwd %u
  passwd chat = *Enter\snew\sUNIX\spassword:* %n\n 
*Retype\snew\sUNIX\spassword:* %n\n *password\supdated\ssuccessfully* .


since you are using ldap and have ldap passwd sync = yes

also, your ldap admin dn is wrong.  what is it in your slapd.conf file? 
it should be something like  ldap admin dn = 
cn=Manager,dc=zmail,dc=ptest,dc=us

did you do smbpasswd -w

Todd E Thomas wrote:
> When I run this command I am not prompted for a password, I just get the 
> below error.
>
> # smbclient -U root //zmail/homes
> Error connecting to 10.0.0.14 (Connection refused)
> Connection to zmail failed (Error NT_STATUS_CONNECTION_REFUSED)
> ---
> Now for the back story:
>   CentOS v5.2 with Samba v3.0.28-1.el5_2.1 and Zimbra 5.0.11_GA on x86_64 
> hardware.
>
> I'm attempting to connect samba (PDC) with zimbra's included openldap. 
> everything appeared to work correctly on an individual basis (samba, zimbra, 
> openldap) and openldap appears to be working correctly via ldapsearch. 
>
> Once I ran authconfig things went a little crazy for samba. I think it's not 
> able to communicate with ldap and I'm not sure what tools and methods there 
> are for a procedural verification of their intercommunication.
>
> Is there such a resource?
>
> As a result, there are a few errors. The one above and one other; smbd keeps 
> dying on me. As I am a novice I'm not sure if these things are related or 
> not. The conf is below.
>
> # service smb status
> smbd dead but pid file exists
> nmbd (pid 9072) is running...
>
>
> Thanks in advance,
>
> Todd E Thomas
> ===
> The host is zmail = 10.0.0.14
> ---
> [global]
>   netbios name = zmail
>   workgroup = OFFICE
>   security = user
>   server string = Palladium %v
>   wins support = yes
>   dns proxy = no
>   name resolve order = wins hosts lmhosts bcast
>   wins server = 10.0.0.14
>   log file = /var/log/samba/log.%m
>   log level = 6
>   max log size = 1000
>   syslog only = no
>   syslog = 0
>   panic action = /usr/share/samba/panic-action %d
>   enable privileges = yes
>   encrypt passwords = yes
> ## Use ldap for auth
>   ldap passwd sync = yes
>   passdb backend = ldapsam:ldaps://zmail.ptest.us/
> #  ldap port = 636
>   ldap admin dn = "cn=config"
>   ldap suffix = dc=ptest,dc=us
>   ldap group suffix = ou=groups
>   ldap user suffix = ou=people
>   ldap machine suffix = ou=machines
>   obey pam restrictions = no
>   passwd program = /usr/bin/passwd %u
>   passwd chat = *Enter\snew\sUNIX\spassword:* %n\n 
> *Retype\snew\sUNIX\spassword:* %n\n *password\supdated\ssuccessf

Re: [Samba] Samba/LDAP Backend: Error NT_STATUS_CONNECTION_REFUSED

2009-03-27 Thread Adam Williams 
did you run testparm -s and look for errors in smb.conf? 


you don't need these two lines in smb.conf anymore:

 passwd program = /usr/bin/passwd %u
 passwd chat = *Enter\snew\sUNIX\spassword:* %n\n 
*Retype\snew\sUNIX\spassword:* %n\n *password\supdated\ssuccessfully* .


since you are using ldap and have ldap passwd sync = yes

also, your ldap admin dn is wrong.  what is it in your slapd.conf file? 
it should be something like  ldap admin dn = 
cn=Manager,dc=zmail,dc=ptest,dc=us


did you do smbpasswd -w

Todd E Thomas wrote:

When I run this command I am not prompted for a password, I just get the below 
error.

# smbclient -U root //zmail/homes
Error connecting to 10.0.0.14 (Connection refused)
Connection to zmail failed (Error NT_STATUS_CONNECTION_REFUSED)
---
Now for the back story:
  CentOS v5.2 with Samba v3.0.28-1.el5_2.1 and Zimbra 5.0.11_GA on x86_64 
hardware.

I'm attempting to connect samba (PDC) with zimbra's included openldap. everything appeared to work correctly on an individual basis (samba, zimbra, openldap) and openldap appears to be working correctly via ldapsearch. 


Once I ran authconfig things went a little crazy for samba. I think it's not 
able to communicate with ldap and I'm not sure what tools and methods there are 
for a procedural verification of their intercommunication.

Is there such a resource?

As a result, there are a few errors. The one above and one other; smbd keeps 
dying on me. As I am a novice I'm not sure if these things are related or not. 
The conf is below.

# service smb status
smbd dead but pid file exists
nmbd (pid 9072) is running...


Thanks in advance,

Todd E Thomas
===
The host is zmail = 10.0.0.14
---
[global]
  netbios name = zmail
  workgroup = OFFICE
  security = user
  server string = Palladium %v
  wins support = yes
  dns proxy = no
  name resolve order = wins hosts lmhosts bcast
  wins server = 10.0.0.14
  log file = /var/log/samba/log.%m
  log level = 6
  max log size = 1000
  syslog only = no
  syslog = 0
  panic action = /usr/share/samba/panic-action %d
  enable privileges = yes
  encrypt passwords = yes
## Use ldap for auth
  ldap passwd sync = yes
  passdb backend = ldapsam:ldaps://zmail.ptest.us/
#  ldap port = 636
  ldap admin dn = "cn=config"
  ldap suffix = dc=ptest,dc=us
  ldap group suffix = ou=groups
  ldap user suffix = ou=people
  ldap machine suffix = ou=machines
  obey pam restrictions = no
  passwd program = /usr/bin/passwd %u
  passwd chat = *Enter\snew\sUNIX\spassword:* %n\n 
*Retype\snew\sUNIX\spassword:* %n\n *password\supdated\ssuccessfully* .
  domain master = yes
  domain logons = yes
  os level = 33
  preferred master = yes
  local master = yes
  logon path = \\zmail.ptest.us\%U\profile
  logon home = \\zmail.ptest.us\%U
  add user script = /usr/sbin/adduser --quiet --disabled-password --gecos "" %u
  add machine script = /usr/sbin/adduser --shell /bin/false --disabled-password --quiet 
--gecos "machine account" --force-badname %u
  socket options = TCP_NODELAY
[homes]
  comment = Home Directories
  browseable = yes
  read only = No
  valid users = %S
[netlogon]
  comment = Network Logon Service
  path = /export/netlogon
  read only = yes
  write list = +ntadmin
  locking = no
===
  

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

[Samba] Samba/LDAP Backend: Error NT_STATUS_CONNECTION_REFUSED

2009-03-26 Thread Todd E Thomas 
When I run this command I am not prompted for a password, I just get the below 
error.

# smbclient -U root //zmail/homes
Error connecting to 10.0.0.14 (Connection refused)
Connection to zmail failed (Error NT_STATUS_CONNECTION_REFUSED)
---
Now for the back story:
  CentOS v5.2 with Samba v3.0.28-1.el5_2.1 and Zimbra 5.0.11_GA on x86_64 
hardware.

I'm attempting to connect samba (PDC) with zimbra's included openldap. 
everything appeared to work correctly on an individual basis (samba, zimbra, 
openldap) and openldap appears to be working correctly via ldapsearch. 

Once I ran authconfig things went a little crazy for samba. I think it's not 
able to communicate with ldap and I'm not sure what tools and methods there are 
for a procedural verification of their intercommunication.

Is there such a resource?

As a result, there are a few errors. The one above and one other; smbd keeps 
dying on me. As I am a novice I'm not sure if these things are related or not. 
The conf is below.

# service smb status
smbd dead but pid file exists
nmbd (pid 9072) is running...


Thanks in advance,

Todd E Thomas
===
The host is zmail = 10.0.0.14
---
[global]
  netbios name = zmail
  workgroup = OFFICE
  security = user
  server string = Palladium %v
  wins support = yes
  dns proxy = no
  name resolve order = wins hosts lmhosts bcast
  wins server = 10.0.0.14
  log file = /var/log/samba/log.%m
  log level = 6
  max log size = 1000
  syslog only = no
  syslog = 0
  panic action = /usr/share/samba/panic-action %d
  enable privileges = yes
  encrypt passwords = yes
## Use ldap for auth
  ldap passwd sync = yes
  passdb backend = ldapsam:ldaps://zmail.ptest.us/
#  ldap port = 636
  ldap admin dn = "cn=config"
  ldap suffix = dc=ptest,dc=us
  ldap group suffix = ou=groups
  ldap user suffix = ou=people
  ldap machine suffix = ou=machines
  obey pam restrictions = no
  passwd program = /usr/bin/passwd %u
  passwd chat = *Enter\snew\sUNIX\spassword:* %n\n 
*Retype\snew\sUNIX\spassword:* %n\n *password\supdated\ssuccessfully* .
  domain master = yes
  domain logons = yes
  os level = 33
  preferred master = yes
  local master = yes
  logon path = \\zmail.ptest.us\%U\profile
  logon home = \\zmail.ptest.us\%U
  add user script = /usr/sbin/adduser --quiet --disabled-password --gecos "" %u
  add machine script = /usr/sbin/adduser --shell /bin/false --disabled-password 
--quiet --gecos "machine account" --force-badname %u
  socket options = TCP_NODELAY
[homes]
  comment = Home Directories
  browseable = yes
  read only = No
  valid users = %S
[netlogon]
  comment = Network Logon Service
  path = /export/netlogon
  read only = yes
  write list = +ntadmin
  locking = no
===
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

[Samba] samba/ldap BDC slowness

2009-03-26 Thread Marco Barbero 
Hi list

To the point:.
I have a Samba/LDAP PDC that is working fine.
Now I added a Samba/LDAP BDC on a WAN.  I followed tips from
wiki.samba regarding LDAP replication and samba configurations.  It's
working but  I have noticed that when I try to access shares on BDC is
really slow.

I can notice this slowness using smbclient directly on BDC accessing
shares on BDC itself.
If I try to access shares on PDC using smbclient on BDC it's fast!
So I suspect is something related to authentication on BDC.  Anyone
has any hints regarding this?

PDC:  Debian Etch, Samba 3.0.24, smbldap-tools 0.9.2-3, slapd 2.3.30
BDC:  Debian Lenny, Samba 3.2.5, smbldap-tools 0.9.4, slapd 2.4.11

Also:  pdbedit -Lvu on PDC is fast,  on BDC is slow.  getent passwd is
fast on both

Anyone has any hints regarding this issue?

Thanks in advance
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Samba LDAP troubleshooting

2009-03-19 Thread Adam Williams 



Brad C wrote:

Hi There,

Yep, Ok now I understand the SID needs to be the same as the server the
client formed the initial security relationship with,

Is this correct?

Kind Regards
Brad


yes.
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

[Samba] samba ldap configuration & attributes needed

2009-03-18 Thread John Goubeaux 

Folks,

I am attempting to get an install of Samba authenticating against a Sun 
DS as a "stand alone" smb server eg. non PDC.
I have the host OS ( solaris 10) properly configured to authenticate 
against the directory, the directory schema modified
to accept the PosixAccount and SambaSamAccount objectclasses, smb.conf 
configured and in place and a test user in place as well.


My two question(s) are:

What are the minimal directory account attributes needed to get a user 
to authenticate?  eg my understanding is that many
of the attributes are used for a samba server acting as a PDC, which in 
my case are not needed.


My user base in the DS allready exists, so I will want to just add the 
extra necessary object classes and attributes to the
user's existing entries. What mechanism determines what the  sambaSID  
and  sambaPrimaryGroupSID values are ? I am unclear
how these values are derived and what they are based on. Realize my 
users already have passwd's in their entries that I am hoping

to not have to change.

any help is appreciated!   -john

--

John Goubeaux
Systems Administrator
Gevirtz Graduate School of Education
UC Santa Barbara
Phelps Hall 3534
805 893-8190

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Samba LDAP troubleshooting

2009-03-18 Thread Brad C 
Hi There,

Yep, Ok now I understand the SID needs to be the same as the server the
client formed the initial security relationship with,

Is this correct?

Kind Regards
Brad

On Tue, Mar 17, 2009 at 7:47 PM, Adam Williams wrote:

> well the user's sid is invalid.  does it match the domain's sid with net
> getdomainsid?
>
>
> Brad C wrote:
>
>> Hello
>>
>> I'm hoping someone can provide some insight, sample snippet from smb.conf
>> and the samba log.
>> Password authentication is working & succeeding, complains about an
>> invalid
>> SID which I know is the trust relationship that is formed between server
>> and
>> client, this is a duplicate ldap database from a samba domain controller.
>>
>> On the topic, anyone have a good book to recommend on Samba, I feel I am
>> only using 10% of its capability and not really well at that... something
>> is
>> staring me in the face and Im missing it.
>>
>> [global]
>>workgroup = companyx
>>printing = cups
>> hosts allow = 192.168.1.printcap name = cups
>>printcap cache time = 750
>>cups options = raw
>>map to guest = Bad User
>>include = /etc/samba/dhcp.conf
>>security = user
>>encrypt passwords = Yes
>>obey pam restrictions = No
>>log level = 2
>>passdb backend = ldapsam:ldap://127.0.0.1/
>>ldap admin dn = cn=manager,dc=companyx,dc=co,dc=za
>>ldap suffix = dc=companyx,dc=co,dc=za
>>ldap group suffix = ou=Groups
>>ldap user suffix = ou=Users
>>ldap machine suffix = ou=Computers
>>ldap idmap suffix = ou=Users
>>ldap ssl = off
>>ldap delete dn = Yes
>>
>> [testdir]
>>comment = test1
>>path = "/data/test"
>>browseable = yes
>>writable = yes
>>read only = no
>>available = yes
>>valid users = bradleyc
>>admin users = bradleyc
>>
>>
>>
>> [2009/03/13 08:36:39,  2]
>> lib/access.c:check_access(406)
>>
>>  Allowed connection from ___192.168.2.154
>> (:::192.168.2.154)
>>
>> [2009/03/13 08:36:39,  2]
>> lib/smbldap.c:smbldap_open_connection(796)
>>
>>  smbldap_open_connection: connection
>> opened
>>
>> [2009/03/13 08:36:39,  2]
>> passdb/pdb_ldap.c:init_sam_from_ldap(571)
>>
>>  init_sam_from_ldap: Entry found for user:
>> bradleyc
>>
>> [2009/03/13 08:36:39,  2]
>> passdb/pdb_ldap.c:init_group_from_ldap(2344)
>>
>>  init_group_from_ldap: Entry found for group:
>> 513
>>
>> [2009/03/13 08:36:39,  2]
>> passdb/pdb_ldap.c:init_group_from_ldap(2344)
>>
>>  init_group_from_ldap: Entry found for group:
>> 513
>>
>> [2009/03/13 08:36:39,  2]
>> passdb/pdb_ldap.c:init_group_from_ldap(2344)
>>
>>  init_group_from_ldap: Entry found for group:
>> 1010
>>
>> [2009/03/13 08:36:39,  2]
>> passdb/pdb_ldap.c:init_group_from_ldap(2344)
>>
>>  init_group_from_ldap: Entry found for group:
>> 512
>>
>> [2009/03/13 08:36:39,  2]
>> auth/auth.c:check_ntlm_password(308)
>>
>>  check_ntlm_password:  authentication for user [bradleyc] -> [bradleyc] ->
>> [bradleyc] succeeded
>> [2009/03/13 08:36:39,  2]
>> passdb/pdb_ldap.c:init_group_from_ldap(2344)
>>
>>  init_group_from_ldap: Entry found for group:
>> 544
>>
>> [2009/03/13 08:36:39,  2]
>> lib/access.c:check_access(406)
>>
>>  Allowed connection from :::192.168.2.154
>> (:::192.168.2.154)
>>
>> [2009/03/13 08:36:39,  2]
>> passdb/pdb_ldap.c:init_sam_from_ldap(571)
>>
>>  init_sam_from_ldap: Entry found for user:
>> bradleyc
>>
>> [2009/03/13 08:36:39,  2]
>> passdb/pdb_ldap.c:init_group_from_ldap(2344)
>>
>>  init_group_from_ldap: Entry found for group:
>> 513
>>
>> [2009/03/13 08:36:39,  0]
>> passdb/passdb.c:lookup_global_sam_name(595)
>>
>>  User bradleyc with invalid SID
>> S-1-5-21-1571991244-1820204139-1100571284-3420 in
>> passdb
>> [2009/03/13 08:36:39,  2]
>> smbd/service.c:make_connection_snum(736)
>>
>>  user 'bradleyc' (from session setup) not permitted to access this share
>> (testdir)
>>
>>
>
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Samba LDAP troubleshooting

2009-03-17 Thread Adam Williams 
well the user's sid is invalid.  does it match the domain's sid with net 
getdomainsid?


Brad C wrote:

Hello

I'm hoping someone can provide some insight, sample snippet from smb.conf
and the samba log.
Password authentication is working & succeeding, complains about an invalid
SID which I know is the trust relationship that is formed between server and
client, this is a duplicate ldap database from a samba domain controller.

On the topic, anyone have a good book to recommend on Samba, I feel I am
only using 10% of its capability and not really well at that... something is
staring me in the face and Im missing it.

[global]
workgroup = companyx
printing = cups
hosts allow = 192.168.1.printcap name = cups
printcap cache time = 750
cups options = raw
map to guest = Bad User
include = /etc/samba/dhcp.conf
security = user
encrypt passwords = Yes
obey pam restrictions = No
log level = 2
passdb backend = ldapsam:ldap://127.0.0.1/
ldap admin dn = cn=manager,dc=companyx,dc=co,dc=za
ldap suffix = dc=companyx,dc=co,dc=za
ldap group suffix = ou=Groups
ldap user suffix = ou=Users
ldap machine suffix = ou=Computers
ldap idmap suffix = ou=Users
ldap ssl = off
ldap delete dn = Yes

[testdir]
comment = test1
path = "/data/test"
browseable = yes
writable = yes
read only = no
available = yes
valid users = bradleyc
admin users = bradleyc



[2009/03/13 08:36:39,  2]
lib/access.c:check_access(406)

  Allowed connection from ___192.168.2.154
(:::192.168.2.154)

[2009/03/13 08:36:39,  2]
lib/smbldap.c:smbldap_open_connection(796)

  smbldap_open_connection: connection
opened

[2009/03/13 08:36:39,  2]
passdb/pdb_ldap.c:init_sam_from_ldap(571)

  init_sam_from_ldap: Entry found for user:
bradleyc

[2009/03/13 08:36:39,  2]
passdb/pdb_ldap.c:init_group_from_ldap(2344)

  init_group_from_ldap: Entry found for group:
513

[2009/03/13 08:36:39,  2]
passdb/pdb_ldap.c:init_group_from_ldap(2344)

  init_group_from_ldap: Entry found for group:
513

[2009/03/13 08:36:39,  2]
passdb/pdb_ldap.c:init_group_from_ldap(2344)

  init_group_from_ldap: Entry found for group:
1010

[2009/03/13 08:36:39,  2]
passdb/pdb_ldap.c:init_group_from_ldap(2344)

  init_group_from_ldap: Entry found for group:
512

[2009/03/13 08:36:39,  2]
auth/auth.c:check_ntlm_password(308)

  check_ntlm_password:  authentication for user [bradleyc] -> [bradleyc] ->
[bradleyc] succeeded
[2009/03/13 08:36:39,  2]
passdb/pdb_ldap.c:init_group_from_ldap(2344)

  init_group_from_ldap: Entry found for group:
544

[2009/03/13 08:36:39,  2]
lib/access.c:check_access(406)

  Allowed connection from :::192.168.2.154
(:::192.168.2.154)

[2009/03/13 08:36:39,  2]
passdb/pdb_ldap.c:init_sam_from_ldap(571)

  init_sam_from_ldap: Entry found for user:
bradleyc

[2009/03/13 08:36:39,  2]
passdb/pdb_ldap.c:init_group_from_ldap(2344)

  init_group_from_ldap: Entry found for group:
513

[2009/03/13 08:36:39,  0]
passdb/passdb.c:lookup_global_sam_name(595)

  User bradleyc with invalid SID
S-1-5-21-1571991244-1820204139-1100571284-3420 in
passdb
[2009/03/13 08:36:39,  2]
smbd/service.c:make_connection_snum(736)

  user 'bradleyc' (from session setup) not permitted to access this share
(testdir)
  

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Samba LDAP troubleshooting

2009-03-13 Thread Brad C 
Hi Julian,

It is not acting as a domain controller, I would like to use the ldap
backend of the pdc to authenticate instead of having to setup separate
passwords.
I have not reset passwords, its a duplicate database of the pdc.

net getlocalsid

SID for domain ITSHARE is: S-1-5-21-1243312448-3956249592-3341015638

Kind Regards
Brad


On Fri, Mar 13, 2009 at 12:39 PM,  wrote:

> Hiya,
>
> A few questions.
>
> Is the machine a PDC
>
> what's the output of the command "net getlocalsid" in a terminal
>
> What scripts are you using to change passwords? smbldaptools?
>
> Cheers,
>
> Julian
>
>
> > Hello
> >
> > I'm hoping someone can provide some insight, sample snippet from smb.conf
> > and the samba log.
> > Password authentication is working & succeeding, complains about an
> > invalid
> > SID which I know is the trust relationship that is formed between server
> > and
> > client, this is a duplicate ldap database from a samba domain controller.
> >
> > On the topic, anyone have a good book to recommend on Samba, I feel I am
> > only using 10% of its capability and not really well at that... something
> > is
> > staring me in the face and Im missing it.
> >
> > [global]
> > workgroup = companyx
> > printing = cups
> > hosts allow = 192.168.1.printcap name = cups
> > printcap cache time = 750
> > cups options = raw
> > map to guest = Bad User
> > include = /etc/samba/dhcp.conf
> > security = user
> > encrypt passwords = Yes
> > obey pam restrictions = No
> > log level = 2
> > passdb backend = ldapsam:ldap://127.0.0.1/
> > ldap admin dn = cn=manager,dc=companyx,dc=co,dc=za
> > ldap suffix = dc=companyx,dc=co,dc=za
> > ldap group suffix = ou=Groups
> > ldap user suffix = ou=Users
> > ldap machine suffix = ou=Computers
> > ldap idmap suffix = ou=Users
> > ldap ssl = off
> > ldap delete dn = Yes
> >
> > [testdir]
> > comment = test1
> > path = "/data/test"
> > browseable = yes
> > writable = yes
> > read only = no
> > available = yes
> > valid users = bradleyc
> > admin users = bradleyc
> >
> >
> >
> > [2009/03/13 08:36:39,  2]
> > lib/access.c:check_access(406)
> >
> >   Allowed connection from ___192.168.2.154
> > (:::192.168.2.154)
> >
> > [2009/03/13 08:36:39,  2]
> > lib/smbldap.c:smbldap_open_connection(796)
> >
> >   smbldap_open_connection: connection
> > opened
> >
> > [2009/03/13 08:36:39,  2]
> > passdb/pdb_ldap.c:init_sam_from_ldap(571)
> >
> >   init_sam_from_ldap: Entry found for user:
> > bradleyc
> >
> > [2009/03/13 08:36:39,  2]
> > passdb/pdb_ldap.c:init_group_from_ldap(2344)
> >
> >   init_group_from_ldap: Entry found for group:
> > 513
> >
> > [2009/03/13 08:36:39,  2]
> > passdb/pdb_ldap.c:init_group_from_ldap(2344)
> >
> >   init_group_from_ldap: Entry found for group:
> > 513
> >
> > [2009/03/13 08:36:39,  2]
> > passdb/pdb_ldap.c:init_group_from_ldap(2344)
> >
> >   init_group_from_ldap: Entry found for group:
> > 1010
> >
> > [2009/03/13 08:36:39,  2]
> > passdb/pdb_ldap.c:init_group_from_ldap(2344)
> >
> >   init_group_from_ldap: Entry found for group:
> > 512
> >
> > [2009/03/13 08:36:39,  2]
> > auth/auth.c:check_ntlm_password(308)
> >
> >   check_ntlm_password:  authentication for user [bradleyc] -> [bradleyc]
> > ->
> > [bradleyc] succeeded
> > [2009/03/13 08:36:39,  2]
> > passdb/pdb_ldap.c:init_group_from_ldap(2344)
> >
> >   init_group_from_ldap: Entry found for group:
> > 544
> >
> > [2009/03/13 08:36:39,  2]
> > lib/access.c:check_access(406)
> >
> >   Allowed connection from :::192.168.2.154
> > (:::192.168.2.154)
> >
> > [2009/03/13 08:36:39,  2]
> > passdb/pdb_ldap.c:init_sam_from_ldap(571)
> >
> >   init_sam_from_ldap: Entry found for user:
> > bradleyc
> >
> > [2009/03/13 08:36:39,  2]
> > passdb/pdb_ldap.c:init_group_from_ldap(2344)
> >
> >   init_group_from_ldap: Entry found for group:
> > 513
> >
> > [2009/03/13 08:36:39,  0]
> > passdb/passdb.c:lookup_global_sam_name(595)
> >
> >   User bradleyc with invalid SID
> > S-1-5-21-1571991244-1820204139-1100571284-3420 in
> > passdb
> > [2009/03/13 08:36:39,  2]
> > smbd/service.c:make_connection_snum(736)
> >
> >   user 'bradleyc' (from session setup) not permitted to access this share
> > (testdir)
> > --
> > To unsubscribe from this list go to the following URL and read the
> > instructions:  https://lists.samba.org/mailman/options/samba
> >
> >
>
>
>
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Samba LDAP troubleshooting

2009-03-13 Thread jpb 
Hiya,

A few questions.

Is the machine a PDC

what's the output of the command "net getlocalsid" in a terminal

What scripts are you using to change passwords? smbldaptools?

Cheers,

Julian


> Hello
>
> I'm hoping someone can provide some insight, sample snippet from smb.conf
> and the samba log.
> Password authentication is working & succeeding, complains about an
> invalid
> SID which I know is the trust relationship that is formed between server
> and
> client, this is a duplicate ldap database from a samba domain controller.
>
> On the topic, anyone have a good book to recommend on Samba, I feel I am
> only using 10% of its capability and not really well at that... something
> is
> staring me in the face and Im missing it.
>
> [global]
> workgroup = companyx
> printing = cups
> hosts allow = 192.168.1.printcap name = cups
> printcap cache time = 750
> cups options = raw
> map to guest = Bad User
> include = /etc/samba/dhcp.conf
> security = user
> encrypt passwords = Yes
> obey pam restrictions = No
> log level = 2
> passdb backend = ldapsam:ldap://127.0.0.1/
> ldap admin dn = cn=manager,dc=companyx,dc=co,dc=za
> ldap suffix = dc=companyx,dc=co,dc=za
> ldap group suffix = ou=Groups
> ldap user suffix = ou=Users
> ldap machine suffix = ou=Computers
> ldap idmap suffix = ou=Users
> ldap ssl = off
> ldap delete dn = Yes
>
> [testdir]
> comment = test1
> path = "/data/test"
> browseable = yes
> writable = yes
> read only = no
> available = yes
> valid users = bradleyc
> admin users = bradleyc
>
>
>
> [2009/03/13 08:36:39,  2]
> lib/access.c:check_access(406)
>
>   Allowed connection from ___192.168.2.154
> (:::192.168.2.154)
>
> [2009/03/13 08:36:39,  2]
> lib/smbldap.c:smbldap_open_connection(796)
>
>   smbldap_open_connection: connection
> opened
>
> [2009/03/13 08:36:39,  2]
> passdb/pdb_ldap.c:init_sam_from_ldap(571)
>
>   init_sam_from_ldap: Entry found for user:
> bradleyc
>
> [2009/03/13 08:36:39,  2]
> passdb/pdb_ldap.c:init_group_from_ldap(2344)
>
>   init_group_from_ldap: Entry found for group:
> 513
>
> [2009/03/13 08:36:39,  2]
> passdb/pdb_ldap.c:init_group_from_ldap(2344)
>
>   init_group_from_ldap: Entry found for group:
> 513
>
> [2009/03/13 08:36:39,  2]
> passdb/pdb_ldap.c:init_group_from_ldap(2344)
>
>   init_group_from_ldap: Entry found for group:
> 1010
>
> [2009/03/13 08:36:39,  2]
> passdb/pdb_ldap.c:init_group_from_ldap(2344)
>
>   init_group_from_ldap: Entry found for group:
> 512
>
> [2009/03/13 08:36:39,  2]
> auth/auth.c:check_ntlm_password(308)
>
>   check_ntlm_password:  authentication for user [bradleyc] -> [bradleyc]
> ->
> [bradleyc] succeeded
> [2009/03/13 08:36:39,  2]
> passdb/pdb_ldap.c:init_group_from_ldap(2344)
>
>   init_group_from_ldap: Entry found for group:
> 544
>
> [2009/03/13 08:36:39,  2]
> lib/access.c:check_access(406)
>
>   Allowed connection from :::192.168.2.154
> (:::192.168.2.154)
>
> [2009/03/13 08:36:39,  2]
> passdb/pdb_ldap.c:init_sam_from_ldap(571)
>
>   init_sam_from_ldap: Entry found for user:
> bradleyc
>
> [2009/03/13 08:36:39,  2]
> passdb/pdb_ldap.c:init_group_from_ldap(2344)
>
>   init_group_from_ldap: Entry found for group:
> 513
>
> [2009/03/13 08:36:39,  0]
> passdb/passdb.c:lookup_global_sam_name(595)
>
>   User bradleyc with invalid SID
> S-1-5-21-1571991244-1820204139-1100571284-3420 in
> passdb
> [2009/03/13 08:36:39,  2]
> smbd/service.c:make_connection_snum(736)
>
>   user 'bradleyc' (from session setup) not permitted to access this share
> (testdir)
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>
>


-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

[Samba] Samba LDAP troubleshooting

2009-03-13 Thread Brad C 
Hello

I'm hoping someone can provide some insight, sample snippet from smb.conf
and the samba log.
Password authentication is working & succeeding, complains about an invalid
SID which I know is the trust relationship that is formed between server and
client, this is a duplicate ldap database from a samba domain controller.

On the topic, anyone have a good book to recommend on Samba, I feel I am
only using 10% of its capability and not really well at that... something is
staring me in the face and Im missing it.

[global]
workgroup = companyx
printing = cups
hosts allow = 192.168.1.printcap name = cups
printcap cache time = 750
cups options = raw
map to guest = Bad User
include = /etc/samba/dhcp.conf
security = user
encrypt passwords = Yes
obey pam restrictions = No
log level = 2
passdb backend = ldapsam:ldap://127.0.0.1/
ldap admin dn = cn=manager,dc=companyx,dc=co,dc=za
ldap suffix = dc=companyx,dc=co,dc=za
ldap group suffix = ou=Groups
ldap user suffix = ou=Users
ldap machine suffix = ou=Computers
ldap idmap suffix = ou=Users
ldap ssl = off
ldap delete dn = Yes

[testdir]
comment = test1
path = "/data/test"
browseable = yes
writable = yes
read only = no
available = yes
valid users = bradleyc
admin users = bradleyc



[2009/03/13 08:36:39,  2]
lib/access.c:check_access(406)

  Allowed connection from ___192.168.2.154
(:::192.168.2.154)

[2009/03/13 08:36:39,  2]
lib/smbldap.c:smbldap_open_connection(796)

  smbldap_open_connection: connection
opened

[2009/03/13 08:36:39,  2]
passdb/pdb_ldap.c:init_sam_from_ldap(571)

  init_sam_from_ldap: Entry found for user:
bradleyc

[2009/03/13 08:36:39,  2]
passdb/pdb_ldap.c:init_group_from_ldap(2344)

  init_group_from_ldap: Entry found for group:
513

[2009/03/13 08:36:39,  2]
passdb/pdb_ldap.c:init_group_from_ldap(2344)

  init_group_from_ldap: Entry found for group:
513

[2009/03/13 08:36:39,  2]
passdb/pdb_ldap.c:init_group_from_ldap(2344)

  init_group_from_ldap: Entry found for group:
1010

[2009/03/13 08:36:39,  2]
passdb/pdb_ldap.c:init_group_from_ldap(2344)

  init_group_from_ldap: Entry found for group:
512

[2009/03/13 08:36:39,  2]
auth/auth.c:check_ntlm_password(308)

  check_ntlm_password:  authentication for user [bradleyc] -> [bradleyc] ->
[bradleyc] succeeded
[2009/03/13 08:36:39,  2]
passdb/pdb_ldap.c:init_group_from_ldap(2344)

  init_group_from_ldap: Entry found for group:
544

[2009/03/13 08:36:39,  2]
lib/access.c:check_access(406)

  Allowed connection from :::192.168.2.154
(:::192.168.2.154)

[2009/03/13 08:36:39,  2]
passdb/pdb_ldap.c:init_sam_from_ldap(571)

  init_sam_from_ldap: Entry found for user:
bradleyc

[2009/03/13 08:36:39,  2]
passdb/pdb_ldap.c:init_group_from_ldap(2344)

  init_group_from_ldap: Entry found for group:
513

[2009/03/13 08:36:39,  0]
passdb/passdb.c:lookup_global_sam_name(595)

  User bradleyc with invalid SID
S-1-5-21-1571991244-1820204139-1100571284-3420 in
passdb
[2009/03/13 08:36:39,  2]
smbd/service.c:make_connection_snum(736)

  user 'bradleyc' (from session setup) not permitted to access this share
(testdir)
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

[Samba] SAMBA+LDAP: Domain-Policies WHERE?

2009-02-12 Thread Axel Werner 

Hi!

i realy got stuck on testing samba and ldap scenarios. i want to use 
PASSWORD POLICIES. But it looked like SAMBA ignores my Policy Settings 
within my LDAP DOMAIN Object.

I have set

- sambaMaxPwdAge 300
- sambaMinPwdAge 60
- sambaMinPwdLength 8
- sambaPwdHistoryLength 10

and so on.

Someone told me there is another tool called "pdbedit" i should use to 
edit my Samba Domain-Policy stuff. So i tried ... but it showed me 
"different" values..
i took lots of trouble with searching internet and reading samba docs 
for that problem. But there been no such information...


Meanwhile i found the Solution:

If you change Attributes (values) on the LDAP Domain-Object YOU HAVE TO 
RESTART THE SAMBA DAEMON and give it some time too, so it will read 
those new values.


I think this is an important information that Samba DOES NOT request 
that domain parameters "live" but only on Start-Time. So i recomment 
this should be placed in the samba docs at some points.


regards
Axel



--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Samba + LDAP problem

2009-02-05 Thread plug bert 
Ran into the same problem too. what i did was 

1, create a generic barebones smb.conf(i.e. no ldap backend and such), 
2. started up samba
3. shut down samba
4. edited smb.conf to support ldap backend
5. started up samba

it may have something to do with samba not generating an SID when configured to 
support LDAP at the onset.


*or*, just do the setlocalsid thing as Mr. Björn Jacke has suggested



--- On Wed, 2/4/09, Agustin Eguia  wrote:

> From: Agustin Eguia 
> Subject: [Samba] Samba + LDAP problem
> To: samba@lists.samba.org
> Date: Wednesday, February 4, 2009, 5:44 AM
> Hello everyone, I have a question here that has been giving
> me troubles :
> 
> I installed my PDC with samba + LDAP... everything seems to
> work just fine (user creation, population, groups, users and
> machines connecting to the domain)... but one thing keeps
> not working : net getlocalsid... I keep getting this message
> : Can't fetch domain SID for name: MACHINENAME
> 
> 
> I searched the internet like crazy even asked in IRC
> channels but no luck... can anyone enlight me on this one ?
> 
> 
> Thanks,
> 
> 
> A.
> -- To unsubscribe from this list go to the following URL
> and read the
> instructions: 
> https://lists.samba.org/mailman/options/samba



--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Samba + LDAP problem

2009-02-04 Thread Björn Jacke 
On 2009-02-03 at 17:44 +0100 Agustin Eguia sent off:
> Hello everyone, I have a question here that has been giving me troubles :
>
> I installed my PDC with samba + LDAP... everything seems to work just fine 
> (user creation, population, groups, users and machines connecting to the 
> domain)... but one thing keeps not working : net getlocalsid... I keep 
> getting this message : Can't fetch domain SID for name: MACHINENAME
>
>
> I searched the internet like crazy even asked in IRC channels but no 
> luck... can anyone enlight me on this one ?

I saw something like that, looks like the localsid initialization logic broken.
Take a look at https://bugzilla.samba.org/show_bug.cgi?id=6033 for description
and workaround.

Cheers
Björn
-- 
SerNet GmbH, Bahnhofsallee 1b, 37081 Göttingen
phone: +49-551-37-0, fax: +49-551-37-9
AG Göttingen, HRB 2816, GF: Dr. Johannes Loxen
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Samba + LDAP problem

2009-02-03 Thread Adam Williams 
http://www.samba.org/samba/docs/man/Samba-Guide/happy.html#sbehap-massive

 Samba-3 generates a Windows Security Identifier (SID) only when smbd  has
been started. For this reason, you start Samba. After a few seconds
delay, execute:

root#  smbclient -L localhost -U%
root#  net getlocalsid

A report such as the following means that the domain SID has not yet been
written to the secrets.tdb or to the LDAP backend:

[2005/03/03 23:19:34, 0] lib/smbldap.c:smbldap_connect_system(852)
  failed to bind to server ldap://massive.abmas.biz
with dn="cn=Manager,dc=abmas,dc=biz" Error: Can't contact LDAP server
(unknown)
[2005/03/03 23:19:48, 0] lib/smbldap.c:smbldap_search_suffix(1169)
  smbldap_search_suffix: Problem during the LDAP search:
(unknown) (Timed out)

The attempt to read the SID will cause and attempted bind to the LDAP
server. Because the LDAP server is not running, this operation will fail
by way of a timeout, as shown previously. This is normal output; do not
worry about this error message. When the domain has been created and
written to the secrets.tdb file, the output should look like this:

SID for domain MASSIVE is: S-1-5-21-3504140859-1010554828-2431957765

If, after a short delay (a few seconds), the domain SID has still not been
written to the secrets.tdb file, it is necessary to investigate what may
be misconfigured. In this case, carefully check the smb.conf file for
typographical errors (the most common problem). The use of the testparm is
highly recommended to validate the contents of this file.

> Hello everyone, I have a question here that has been giving me troubles :
>
> I installed my PDC with samba + LDAP... everything seems to work just
> fine (user creation, population, groups, users and machines connecting
> to the domain)... but one thing keeps not working : net getlocalsid... I
> keep getting this message : Can't fetch domain SID for name: MACHINENAME
>
>
> I searched the internet like crazy even asked in IRC channels but no
> luck... can anyone enlight me on this one ?
>
>
> Thanks,
>
>
> A.
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>


-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

[Samba] Samba + LDAP problem

2009-02-03 Thread Agustin Eguia 

Hello everyone, I have a question here that has been giving me troubles :

I installed my PDC with samba + LDAP... everything seems to work just 
fine (user creation, population, groups, users and machines connecting 
to the domain)... but one thing keeps not working : net getlocalsid... I 
keep getting this message : Can't fetch domain SID for name: MACHINENAME



I searched the internet like crazy even asked in IRC channels but no 
luck... can anyone enlight me on this one ?



Thanks,


A.
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

[Samba] Samba + LDAP problem

2009-02-03 Thread Agustin Eguia 

Hello everyone, I have a question here that has been giving me troubles :

I installed my PDC with samba + LDAP... everything seems to work just 
fine (user creation, population, groups, users and machines connecting 
to the domain)... but one thing keeps not working : net getlocalsid... I 
keep getting this message : Can't fetch domain SID for name: MACHINENAME



I searched the internet like crazy even asked in IRC channels but no 
luck... can anyone enlight me on this one ?



Thanks,


A.
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

<    1   2   3   4   5   6   7   8   9   >