Re: [Samba] Samba Authentication With Kerberos

[Fabian von Romberg]

Hi Andrew,

it is Samba 4 and the server role is active directory domain controller.

Thanks and regards,
Fabian

On 28/01/2013 9:32, Andrew Bartlett wrote:

On Sun, 2013-01-27 at 11:48 -0500, Fabian von Romberg wrote:

Hi All,

Im thrying to setup a server with Samba4 with Kerberos. When I want to see list 
all shares with smbclient with samba authentication, everything works fine. But 
when I try to authenticate using Kerberos, I get and error.


To be clear, is this Samba 4.0 as an AD DC, or as a member server in
another AD domain?


The command I execute is:

smbclient -L localhost -k

The error message from Samba is:

using SPNEGO
Selected protocol [8][NT LANMAN 1.0]
GSS server Update(krb5)(1) Update failed: Miscellaneous failure (see text): 
Decrypt integrity check failed for checksum type hmac-sha1-96-aes256, key type 
aes256-cts-hmac-sha1-96
SPNEGO(gssapi_krb5) NEG_TOKEN_INIT failed: NT_STATUS_LOGON_FAILURE
SPNEGO login failed: NT_STATUS_LOGON_FAILURE


smbclient should never do kerberos to "localhost" because we can never
know which "localhost" that is.  If you have somehow registered a
'localhost' as a servicePrincipalName, then this is likely the cause of
the issue.  (This error indicates that the key you got from the KDC is
not the key that the server has in it's secrets database/keytab.)

Andrew Bartlett



--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Samba Authentication With Kerberos

[Fabian von Romberg]

Hi Andrew,

it is Samba 4 and the server role is active directory domain controller.

Thanks and regards,
Fabian

On 28/01/2013 9:32, Andrew Bartlett wrote:

On Sun, 2013-01-27 at 11:48 -0500, Fabian von Romberg wrote:

Hi All,

Im thrying to setup a server with Samba4 with Kerberos. When I want to see list 
all shares with smbclient with samba authentication, everything works fine. But 
when I try to authenticate using Kerberos, I get and error.


To be clear, is this Samba 4.0 as an AD DC, or as a member server in
another AD domain?


The command I execute is:

smbclient -L localhost -k

The error message from Samba is:

using SPNEGO
Selected protocol [8][NT LANMAN 1.0]
GSS server Update(krb5)(1) Update failed: Miscellaneous failure (see text): 
Decrypt integrity check failed for checksum type hmac-sha1-96-aes256, key type 
aes256-cts-hmac-sha1-96
SPNEGO(gssapi_krb5) NEG_TOKEN_INIT failed: NT_STATUS_LOGON_FAILURE
SPNEGO login failed: NT_STATUS_LOGON_FAILURE


smbclient should never do kerberos to "localhost" because we can never
know which "localhost" that is.  If you have somehow registered a
'localhost' as a servicePrincipalName, then this is likely the cause of
the issue.  (This error indicates that the key you got from the KDC is
not the key that the server has in it's secrets database/keytab.)

Andrew Bartlett




--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Samba Authentication With Kerberos

[David Salib, Mr]

Disregard, that, sorry.

-Original Message-
From: samba-boun...@lists.samba.org [mailto:samba-boun...@lists.samba.org] On 
Behalf Of David Salib, Mr
Sent: January-28-13 9:38 AM
To: Andrew Bartlett; Fabian von Romberg
Cc: samba@lists.samba.org
Subject: Re: [Samba] Samba Authentication With Kerberos

Thank you, this is a Samba4 host as an AD DC.

-Original Message-
From: samba-boun...@lists.samba.org [mailto:samba-boun...@lists.samba.org] On 
Behalf Of Andrew Bartlett
Sent: January-28-13 9:32 AM
To: Fabian von Romberg
Cc: samba@lists.samba.org
Subject: Re: [Samba] Samba Authentication With Kerberos

On Sun, 2013-01-27 at 11:48 -0500, Fabian von Romberg wrote:
> Hi All,
> 
> Im thrying to setup a server with Samba4 with Kerberos. When I want to see 
> list all shares with smbclient with samba authentication, everything works 
> fine. But when I try to authenticate using Kerberos, I get and error.

To be clear, is this Samba 4.0 as an AD DC, or as a member server in another AD 
domain?

> The command I execute is:
> 
> smbclient -L localhost -k
> 
> The error message from Samba is:
> 
> using SPNEGO
> Selected protocol [8][NT LANMAN 1.0]
> GSS server Update(krb5)(1) Update failed: Miscellaneous failure (see
> text): Decrypt integrity check failed for checksum type 
> hmac-sha1-96-aes256, key type aes256-cts-hmac-sha1-96
> SPNEGO(gssapi_krb5) NEG_TOKEN_INIT failed: NT_STATUS_LOGON_FAILURE 
> SPNEGO login failed: NT_STATUS_LOGON_FAILURE

smbclient should never do kerberos to "localhost" because we can never know 
which "localhost" that is.  If you have somehow registered a 'localhost' as a 
servicePrincipalName, then this is likely the cause of the issue.  (This error 
indicates that the key you got from the KDC is not the key that the server has 
in it's secrets database/keytab.)

Andrew Bartlett

-- 
Andrew Bartletthttp://samba.org/~abartlet/
Authentication Developer, Samba Team   http://samba.org


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Samba Authentication With Kerberos

[David Salib, Mr]

Thank you, this is a Samba4 host as an AD DC.

-Original Message-
From: samba-boun...@lists.samba.org [mailto:samba-boun...@lists.samba.org] On 
Behalf Of Andrew Bartlett
Sent: January-28-13 9:32 AM
To: Fabian von Romberg
Cc: samba@lists.samba.org
Subject: Re: [Samba] Samba Authentication With Kerberos

On Sun, 2013-01-27 at 11:48 -0500, Fabian von Romberg wrote:
> Hi All,
> 
> Im thrying to setup a server with Samba4 with Kerberos. When I want to see 
> list all shares with smbclient with samba authentication, everything works 
> fine. But when I try to authenticate using Kerberos, I get and error.

To be clear, is this Samba 4.0 as an AD DC, or as a member server in another AD 
domain?

> The command I execute is:
> 
> smbclient -L localhost -k
> 
> The error message from Samba is:
> 
> using SPNEGO
> Selected protocol [8][NT LANMAN 1.0]
> GSS server Update(krb5)(1) Update failed: Miscellaneous failure (see 
> text): Decrypt integrity check failed for checksum type 
> hmac-sha1-96-aes256, key type aes256-cts-hmac-sha1-96
> SPNEGO(gssapi_krb5) NEG_TOKEN_INIT failed: NT_STATUS_LOGON_FAILURE 
> SPNEGO login failed: NT_STATUS_LOGON_FAILURE

smbclient should never do kerberos to "localhost" because we can never know 
which "localhost" that is.  If you have somehow registered a 'localhost' as a 
servicePrincipalName, then this is likely the cause of the issue.  (This error 
indicates that the key you got from the KDC is not the key that the server has 
in it's secrets database/keytab.)

Andrew Bartlett

-- 
Andrew Bartletthttp://samba.org/~abartlet/
Authentication Developer, Samba Team   http://samba.org


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Samba Authentication With Kerberos

[Andrew Bartlett]

On Sun, 2013-01-27 at 11:48 -0500, Fabian von Romberg wrote:
> Hi All,
> 
> Im thrying to setup a server with Samba4 with Kerberos. When I want to see 
> list all shares with smbclient with samba authentication, everything works 
> fine. But when I try to authenticate using Kerberos, I get and error.

To be clear, is this Samba 4.0 as an AD DC, or as a member server in
another AD domain?

> The command I execute is:
> 
> smbclient -L localhost -k
> 
> The error message from Samba is:
> 
> using SPNEGO
> Selected protocol [8][NT LANMAN 1.0]
> GSS server Update(krb5)(1) Update failed: Miscellaneous failure (see text): 
> Decrypt integrity check failed for checksum type hmac-sha1-96-aes256, key 
> type aes256-cts-hmac-sha1-96
> SPNEGO(gssapi_krb5) NEG_TOKEN_INIT failed: NT_STATUS_LOGON_FAILURE
> SPNEGO login failed: NT_STATUS_LOGON_FAILURE

smbclient should never do kerberos to "localhost" because we can never
know which "localhost" that is.  If you have somehow registered a
'localhost' as a servicePrincipalName, then this is likely the cause of
the issue.  (This error indicates that the key you got from the KDC is
not the key that the server has in it's secrets database/keytab.)

Andrew Bartlett

-- 
Andrew Bartletthttp://samba.org/~abartlet/
Authentication Developer, Samba Team   http://samba.org


-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

[Samba] Samba Authentication With Kerberos

[Fabian von Romberg]

Hi All,

Im thrying to setup a server with Samba4 with Kerberos. When I want to see list 
all shares with smbclient with samba authentication, everything works fine. But 
when I try to authenticate using Kerberos, I get and error.

The command I execute is:

smbclient -L localhost -k

The error message from Samba is:

using SPNEGO
Selected protocol [8][NT LANMAN 1.0]
GSS server Update(krb5)(1) Update failed: Miscellaneous failure (see text): 
Decrypt integrity check failed for checksum type hmac-sha1-96-aes256, key type 
aes256-cts-hmac-sha1-96
SPNEGO(gssapi_krb5) NEG_TOKEN_INIT failed: NT_STATUS_LOGON_FAILURE
SPNEGO login failed: NT_STATUS_LOGON_FAILURE


Any help will be appreciated.

Thanks and regards,

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Samba authentication problem

[Michael Wood]

On 25 March 2011 01:47, Xamindar  wrote:
>
>
> On 03/24/2011 03:55 PM, Jeremy Allison wrote:
>> On Thu, Mar 24, 2011 at 03:44:51PM -0700, Xamindar wrote:
>>> On 03/24/2011 03:33 PM, Jeremy Allison wrote:
 Share level security doesn't automatically mean no password.
 Either use the password for user xamindar, or add
>>> Like I stated in the first post, it is not accepting the password for
>>> "xamindar". It spits back that it is wrong and in the logs I see
>>> "create_connection_server_info failed: NT_STATUS_WRONG_PASSWORD". The
>>> password is correct. It works fine with security set to user. I have
>>> tested with the mount command in linux and with a Vista machine, neither
>>> are able to connect.
>>>

 "map to guest = Bad Password"

>>> When this is set it will ALWAYS connect as guest because it is not
>>> accepting any valid passwords.
>>>
 in the [global] section of your smb.conf. See the
 smb.conf man page for details.
>>> Thanks for the recommendations.

 Jeremy.
>>> Am I missing something vital when security is set to share?
>>
>> Sounds like a bug in your version of the cifsfs kernel
>> module. With security=share try connecting with the
>> same password using smbclient. If it correctly connects
>> then it's cifsfs screwing up somehow.
>>
>> Jeremy.
> It still rejects it with this messege:
>
> # smbclient //172.16.0.7/backup -U xamindar
> Enter xamindar's password:
> Domain=[RADNIMAX] OS=[Unix] Server=[Samba 3.5.8]
> Server not using user level security and no password supplied.
> Server requested LANMAN password (share-level security) but 'client
> lanman auth' is disabled
> tree connect failed: NT_STATUS_ACCESS_DENIED
>
> I did type the password even though it is saying no password is
> supplied. I tried enabling 'client lanman auth' and restarting the
> server but I still get the same message when trying to connect.

Well, as far as I can tell based on discussions here and on
samba-technical, security = share is a bit of a hack (the way it
works, and not just Samba's implementation) and probably doesn't work
in recent versions of Windows anyway (although I haven't tried it).

Your test above failed because share level security seems to imply the
insecure lanman authentication, but "client lanman auth" defaults to
"no", so smbclient refuses to send the password.

cifsfs is probably also refusing to use lanman authentication, and
there may be an option to tell it to allow lanman auth.

I am no expert on this, so if that doesn't work, I can't help.  You
should probably try getting things to work with "security = user" and
"map to guest = Bad Password", though, since "security = share" has
always been dodgy and is likely to cause you trouble in future when
you upgrade Samba.

-- 
Michael Wood 
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Samba authentication problem

[Xamindar]

It seems samba has outgrown it's documentation and this is not possible 
anymore despite what it states. It would have been nice if someone here 
could have told me but maybe no one knows? Thanks to those who responded 
earlier. I
 found out through lots of searching and chats on irc that you can't do 
this with share level security. It's a shame, it would have been very 
useful in a low security home environment.


On 4/11/2011 10:54 PM, Xamindar wrote:
I'm coming back to this problem after giving it a rest for a while. I 
find it hard to believe that no one sets up authentication with 
security set to share. Is that really the case? Is share security 
deprecated and untested or something? As no one was able to point out 
what I did wrong in my config before, I decided to try setting this 
scenario up on a completely different system which runs a different 
distro (same version of samba afaik).  I am having the same exact 
problem on this other machine so it must be a config issue or samba 
just doesn't work this way. This time I am testing it by trying to 
connect to it from a windows xp and vista machine. Both machines keep 
re-prompting me for the userid and password of the share over and over 
again after I type the correct password. Why is it so impossible to 
have a simple username authenticate to a share? At this point to have 
a little security, I have to make them all guest access read only as 
nothing else works in this mode. I don't mean to sound a little 
frustrated but I would have thought samba would be a little more 
robust than that by now.


If it just isn't meant to work this way can someone help me out a 
little and explain it? I have read through the docs and explanations 
of the different options many times and can't find a reason it 
shouldn't work. Thanks for any help, I don't know what else to do.


On 3/24/2011 1:00 PM, Xamindar wrote:

Hi, I have asked around in other forums but no one seems to know why
this doesn't work.

I have a backup server with samba on it and am trying to set it up to
only allow write access when a user authenticates but to allow reading
from anyone (guest). At this time I have guest disabled and a minimal
config set up as shown below to try to narrow down the problem.

I have added the user "xamindar" using smbpasswd on the server. I then
tried to mount the backup share from another machine with the following
command:
mount -t cifs //chiroru/backup /mnt/temp -o username=xamindar

But I keep getting the following response:
mount error(13): Permission denied
Refer to the mount.cifs(8) manual page (e.g. man mount.cifs)

Can anyone tell me what I am doing wrong here? I am sure I have missed
something. It is possible to authenticate per share with share level
security is it not? I just can't get authentication to work no matter
what I have tried on this machine. With guest enabled it will just use
the guest account and that works fine.
Thanks for any help, I am pulling my hair out here.


***smb.conf***
[global]
 server string = Backup and Multimedia server
 security = SHARE
 smb passwd file = /etc/samba/private/passdb.tdb
 load printers = No
 disable spoolss = Yes
 show add printer wizard = No
 write list = xamindar
 printing = bsd
 print command = lpr -r -P'%p' %s
 lpq command = lpq -P'%p'
 lprm command = lprm -P'%p' %j
 map hidden = Yes
 map system = Yes

[backup]
 path = /mnt/user/backup

**




--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Samba authentication problem

[Xamindar]

Little update.
I just found that if I chose "Map Network Drive" on the vista machine it 
will authenticate and connect the share as a network drive. Why does it 
fail when just browsing through network neighborhood?
It looks like it is still read only this way. But guest access for this 
share should be disabled so it makes no sense.

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Samba authentication problem

[Xamindar]

I'm coming back to this problem after giving it a rest for a while. I 
find it hard to believe that no one sets up authentication with security 
set to share. Is that really the case? Is share security deprecated and 
untested or something? As no one was able to point out what I did wrong 
in my config before, I decided to try setting this scenario up on a 
completely different system which runs a different distro (same version 
of samba afaik).  I am having the same exact problem on this other 
machine so it must be a config issue or samba just doesn't work this 
way. This time I am testing it by trying to connect to it from a windows 
xp and vista machine. Both machines keep re-prompting me for the userid 
and password of the share over and over again after I type the correct 
password. Why is it so impossible to have a simple username authenticate 
to a share? At this point to have a little security, I have to make them 
all guest access read only as nothing else works in this mode. I don't 
mean to sound a little frustrated but I would have thought samba would 
be a little more robust than that by now.


If it just isn't meant to work this way can someone help me out a little 
and explain it? I have read through the docs and explanations of the 
different options many times and can't find a reason it shouldn't work. 
Thanks for any help, I don't know what else to do.


On 3/24/2011 1:00 PM, Xamindar wrote:

Hi, I have asked around in other forums but no one seems to know why
this doesn't work.

I have a backup server with samba on it and am trying to set it up to
only allow write access when a user authenticates but to allow reading
from anyone (guest). At this time I have guest disabled and a minimal
config set up as shown below to try to narrow down the problem.

I have added the user "xamindar" using smbpasswd on the server. I then
tried to mount the backup share from another machine with the following
command:
mount -t cifs //chiroru/backup /mnt/temp -o username=xamindar

But I keep getting the following response:
mount error(13): Permission denied
Refer to the mount.cifs(8) manual page (e.g. man mount.cifs)

Can anyone tell me what I am doing wrong here? I am sure I have missed
something. It is possible to authenticate per share with share level
security is it not? I just can't get authentication to work no matter
what I have tried on this machine. With guest enabled it will just use
the guest account and that works fine.
Thanks for any help, I am pulling my hair out here.


***smb.conf***
[global]
 server string = Backup and Multimedia server
 security = SHARE
 smb passwd file = /etc/samba/private/passdb.tdb
 load printers = No
 disable spoolss = Yes
 show add printer wizard = No
 write list = xamindar
 printing = bsd
 print command = lpr -r -P'%p' %s
 lpq command = lpq -P'%p'
 lprm command = lprm -P'%p' %j
 map hidden = Yes
 map system = Yes

[backup]
 path = /mnt/user/backup

**


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Samba Authentication wrecking my head [ADS]

[Brian O'Mahony]

I deleted *everything* in /var/lib/samba and it worked.

-Original Message-
From: samba-boun...@lists.samba.org [mailto:samba-boun...@lists.samba.org] On 
Behalf Of Brian O'Mahony
Sent: Thursday, March 31, 2011 10:03 AM
To: 'Dale Schroeder'
Cc: Samba
Subject: Re: [Samba] Samba Authentication wrecking my head [ADS]

The is no /var/cache/samba folder.

Any idea what files im looking for?

-Original Message-
From: Dale Schroeder [mailto:d...@briannassaladdressing.com]
Sent: Wednesday, March 30, 2011 7:50 PM
To: Brian O'Mahony
Cc: Samba
Subject: Re: [Samba] Samba Authentication wrecking my head [ADS]

Also check /var/cache/samba

Dale


On 03/30/2011 11:48 AM, Brian O'Mahony wrote:
> samba3-3.4.11-42.el5
>
> However I have moved to using idmap_rid, as I will have cold standbys of 
> machines that I want to be able to access SAN data, with the same IDs.
>
> So how does one go about clearing the samba user cache? I had it set 
> up with users starting at 1. With RID I have now brought this down 
> to 500 (so I can easily see the difference). I deleted the winbindd_* 
> files&  folder in /var/lib/samba, but when I use a "getent passwd 
> brian.omahony" its showing the id as 10
>
> Thanks
>
> B
>
> -Original Message-
> From: samba-boun...@lists.samba.org 
> [mailto:samba-boun...@lists.samba.org] On Behalf Of Gaiseric Vandal
> Sent: Wednesday, March 30, 2011 4:28 PM
> To: Samba
> Subject: Re: [Samba] Samba Authentication wrecking my head [ADS]
>
> What version of samba?  I found that samba 3.0.x (as bundled with
> solaris) had problems with idmap.  This was with LDAP backend, a Samba 
> DC with trusts to Windows 2003 domain  (in  NT domain compatibility
> mode.)  Samba would allocate idmap entries in ldap, and would populate the 
> TDB cache files.  but when the cache timeout expired, the cache files were 
> not repopulated.
>
> Long and short- I don't think Samba 3.0.x plays nice with Windows
> 2003.   It doesn't work with Windows 2008 domains (2003 mode.)
>
>
>
>
> On 03/30/2011 10:07 AM, Brian O'Mahony wrote:
>> After a bit of googling, I found that the idmap has been corrupted. Why 
>> would/could this happen?
>>
>> -Original Message-
>> From: samba-boun...@lists.samba.org
>> [mailto:samba-boun...@lists.samba.org] On Behalf Of Brian O'Mahony
>> Sent: Wednesday, March 30, 2011 2:37 PM
>> To: samba@lists.samba.org
>> Subject: [Samba] Samba Authentication wrecking my head [ADS]
>>
>> Ive recently installed three servers with RHEL5u5. After some messing on the 
>> original, I got samba working with ADS authentication. I then went and got 
>> it working so that users could log in using their domain name&   password to 
>> the box. I got this working with both no restriction, and ADS group 
>> restriction. I have left it on no restriction wheil I get these systems up 
>> and running.
>>
>> I then copied my configuration files (krb5.conf, samba.conf, 
>> system-auth.conf) to the second machine. Everything works.  Rebooted, 
>> everything is fine. System running as expected.
>>
>> I copied to the third machine. Everything worked fine. I was able to log in 
>> using two users (mine and a colleagues). Set up some other machine stuff, 
>> rebooted, and passed the machine over.
>>
>> I was then informed (naturally 5mins after I left the office) that there was 
>> something wrong. Those two accounts worked from both a samba perspective, 
>> and a login perspective. However a third account that was supposed to work, 
>> failed with "su: user ccadm does not exist". Now samba doesn't work for any 
>> user other than the original too, and the same goes for logins.
>>
>> I tried net ads leave, kdestory, renaming the system, rebooting. I have 
>> rejoined the domain as both that system name, and a new one, with no issues:
>> [root@akbarTRAP log]# wbinfo -t
>> checking the trust secret via RPC calls succeeded [root@akbarTRAP 
>> log]# net ads testjoin Join is OK [root@akbarTRAP log]# wbinfo -u | 
>> grep ccadm Ccadm
>>
>> So my questions are:
>>
>>
>> 1.   Where the hell are these accounts being cached, that work.
>>
>> 2.   What the hell has happened to make this no longer work.
>>
>> 3.   Why if I can see all the users&   groups can I not log in, or get 
>> samba working.
>>
>> This is really starting to get on my nerves. I just cannot understand why if 
>> it can see the users using wbinfo, why it is telling me they don't exist.
>>
>> Would really appreciate some help on thi

Re: [Samba] Samba Authentication wrecking my head [ADS]

[Brian O'Mahony]

The is no /var/cache/samba folder.

Any idea what files im looking for?

-Original Message-
From: Dale Schroeder [mailto:d...@briannassaladdressing.com] 
Sent: Wednesday, March 30, 2011 7:50 PM
To: Brian O'Mahony
Cc: Samba
Subject: Re: [Samba] Samba Authentication wrecking my head [ADS]

Also check /var/cache/samba

Dale


On 03/30/2011 11:48 AM, Brian O'Mahony wrote:
> samba3-3.4.11-42.el5
>
> However I have moved to using idmap_rid, as I will have cold standbys of 
> machines that I want to be able to access SAN data, with the same IDs.
>
> So how does one go about clearing the samba user cache? I had it set up with 
> users starting at 1. With RID I have now brought this down to 500 (so I 
> can easily see the difference). I deleted the winbindd_* files&  folder in 
> /var/lib/samba, but when I use a "getent passwd brian.omahony" its showing 
> the id as 10
>
> Thanks
>
> B
>
> -Original Message-
> From: samba-boun...@lists.samba.org [mailto:samba-boun...@lists.samba.org] On 
> Behalf Of Gaiseric Vandal
> Sent: Wednesday, March 30, 2011 4:28 PM
> To: Samba
> Subject: Re: [Samba] Samba Authentication wrecking my head [ADS]
>
> What version of samba?  I found that samba 3.0.x (as bundled with
> solaris) had problems with idmap.  This was with LDAP backend, a Samba DC 
> with trusts to Windows 2003 domain  (in  NT domain compatibility
> mode.)  Samba would allocate idmap entries in ldap, and would populate the 
> TDB cache files.  but when the cache timeout expired, the cache files were 
> not repopulated.
>
> Long and short- I don't think Samba 3.0.x plays nice with Windows
> 2003.   It doesn't work with Windows 2008 domains (2003 mode.)
>
>
>
>
> On 03/30/2011 10:07 AM, Brian O'Mahony wrote:
>> After a bit of googling, I found that the idmap has been corrupted. Why 
>> would/could this happen?
>>
>> -Original Message-
>> From: samba-boun...@lists.samba.org
>> [mailto:samba-boun...@lists.samba.org] On Behalf Of Brian O'Mahony
>> Sent: Wednesday, March 30, 2011 2:37 PM
>> To: samba@lists.samba.org
>> Subject: [Samba] Samba Authentication wrecking my head [ADS]
>>
>> Ive recently installed three servers with RHEL5u5. After some messing on the 
>> original, I got samba working with ADS authentication. I then went and got 
>> it working so that users could log in using their domain name&   password to 
>> the box. I got this working with both no restriction, and ADS group 
>> restriction. I have left it on no restriction wheil I get these systems up 
>> and running.
>>
>> I then copied my configuration files (krb5.conf, samba.conf, 
>> system-auth.conf) to the second machine. Everything works.  Rebooted, 
>> everything is fine. System running as expected.
>>
>> I copied to the third machine. Everything worked fine. I was able to log in 
>> using two users (mine and a colleagues). Set up some other machine stuff, 
>> rebooted, and passed the machine over.
>>
>> I was then informed (naturally 5mins after I left the office) that there was 
>> something wrong. Those two accounts worked from both a samba perspective, 
>> and a login perspective. However a third account that was supposed to work, 
>> failed with "su: user ccadm does not exist". Now samba doesn't work for any 
>> user other than the original too, and the same goes for logins.
>>
>> I tried net ads leave, kdestory, renaming the system, rebooting. I have 
>> rejoined the domain as both that system name, and a new one, with no issues:
>> [root@akbarTRAP log]# wbinfo -t
>> checking the trust secret via RPC calls succeeded [root@akbarTRAP
>> log]# net ads testjoin Join is OK [root@akbarTRAP log]# wbinfo -u |
>> grep ccadm Ccadm
>>
>> So my questions are:
>>
>>
>> 1.   Where the hell are these accounts being cached, that work.
>>
>> 2.   What the hell has happened to make this no longer work.
>>
>> 3.   Why if I can see all the users&   groups can I not log in, or get 
>> samba working.
>>
>> This is really starting to get on my nerves. I just cannot understand why if 
>> it can see the users using wbinfo, why it is telling me they don't exist.
>>
>> Would really appreciate some help on this.
>>
>> Regards
>> B
>>
>>
>>
>> [root@akbarTRAP etc]# cat /etc/nsswitch.conf | grep winbind
>> passwd: files winbind
>> shadow: files winbind
>> group:  files winbind
>>
>> log.winbind:
>> [2011/03/30 14:29:03,  3] 
>> winbindd/winbindd_misc.c:7

Re: [Samba] Samba Authentication wrecking my head [ADS]

[Dale Schroeder]

Also check /var/cache/samba

Dale


On 03/30/2011 11:48 AM, Brian O'Mahony wrote:

samba3-3.4.11-42.el5

However I have moved to using idmap_rid, as I will have cold standbys of 
machines that I want to be able to access SAN data, with the same IDs.

So how does one go about clearing the samba user cache? I had it set up with users starting 
at 1. With RID I have now brought this down to 500 (so I can easily see the difference). 
I deleted the winbindd_* files&  folder in /var/lib/samba, but when I use a "getent 
passwd brian.omahony" its showing the id as 10

Thanks

B

-Original Message-
From: samba-boun...@lists.samba.org [mailto:samba-boun...@lists.samba.org] On 
Behalf Of Gaiseric Vandal
Sent: Wednesday, March 30, 2011 4:28 PM
To: Samba
Subject: Re: [Samba] Samba Authentication wrecking my head [ADS]

What version of samba?  I found that samba 3.0.x (as bundled with
solaris) had problems with idmap.  This was with LDAP backend, a Samba DC with 
trusts to Windows 2003 domain  (in  NT domain compatibility
mode.)  Samba would allocate idmap entries in ldap, and would populate the TDB 
cache files.  but when the cache timeout expired, the cache files were not 
repopulated.

Long and short- I don't think Samba 3.0.x plays nice with Windows
2003.   It doesn't work with Windows 2008 domains (2003 mode.)




On 03/30/2011 10:07 AM, Brian O'Mahony wrote:

After a bit of googling, I found that the idmap has been corrupted. Why 
would/could this happen?

-Original Message-
From: samba-boun...@lists.samba.org
[mailto:samba-boun...@lists.samba.org] On Behalf Of Brian O'Mahony
Sent: Wednesday, March 30, 2011 2:37 PM
To: samba@lists.samba.org
Subject: [Samba] Samba Authentication wrecking my head [ADS]

Ive recently installed three servers with RHEL5u5. After some messing on the 
original, I got samba working with ADS authentication. I then went and got it 
working so that users could log in using their domain name&   password to the 
box. I got this working with both no restriction, and ADS group restriction. I have 
left it on no restriction wheil I get these systems up and running.

I then copied my configuration files (krb5.conf, samba.conf, system-auth.conf) 
to the second machine. Everything works.  Rebooted, everything is fine. System 
running as expected.

I copied to the third machine. Everything worked fine. I was able to log in 
using two users (mine and a colleagues). Set up some other machine stuff, 
rebooted, and passed the machine over.

I was then informed (naturally 5mins after I left the office) that there was something 
wrong. Those two accounts worked from both a samba perspective, and a login perspective. 
However a third account that was supposed to work, failed with "su: user ccadm does 
not exist". Now samba doesn't work for any user other than the original too, and the 
same goes for logins.

I tried net ads leave, kdestory, renaming the system, rebooting. I have 
rejoined the domain as both that system name, and a new one, with no issues:
[root@akbarTRAP log]# wbinfo -t
checking the trust secret via RPC calls succeeded [root@akbarTRAP
log]# net ads testjoin Join is OK [root@akbarTRAP log]# wbinfo -u |
grep ccadm Ccadm

So my questions are:


1.   Where the hell are these accounts being cached, that work.

2.   What the hell has happened to make this no longer work.

3.   Why if I can see all the users&   groups can I not log in, or get 
samba working.

This is really starting to get on my nerves. I just cannot understand why if it 
can see the users using wbinfo, why it is telling me they don't exist.

Would really appreciate some help on this.

Regards
B



[root@akbarTRAP etc]# cat /etc/nsswitch.conf | grep winbind
passwd: files winbind
shadow: files winbind
group:  files winbind

log.winbind:
[2011/03/30 14:29:03,  3] 
winbindd/winbindd_misc.c:754(winbindd_interface_version)
[ 7381]: request interface version
[2011/03/30 14:29:03,  3] winbindd/winbindd_misc.c:787(winbindd_priv_pipe_dir)
[ 7381]: request location of privileged pipe
[2011/03/30 14:29:03,  3] winbindd/winbindd_user.c:438(winbindd_getpwnam)
[ 7381]: getpwnam ccadm
[2011/03/30 14:29:05,  3] winbindd/winbindd_user.c:438(winbindd_getpwnam)
[ 7381]: getpwnam ccadm
[2011/03/30 14:29:05,  3] 
winbindd/winbindd_misc.c:754(winbindd_interface_version)
[ 7381]: request interface version
[2011/03/30 14:29:05,  3] winbindd/winbindd_misc.c:787(winbindd_priv_pipe_dir)
[ 7381]: request location of privileged pipe
[2011/03/30 14:29:05,  3] winbindd/winbindd_pam.c:829(winbindd_pam_auth)
[ 7381]: pam auth ccadm
[2011/03/30 14:29:05,  3] winbindd/winbindd_user.c:438(winbindd_getpwnam)
[ 7381]: getpwnam ccadm

Secure log:
Mar 30 14:29:03 akbartrap sshd[7381]: Invalid user ccadm from
172.16.165.248 Mar 30 14:29:03 akbartrap sshd[7382]:
input_userauth_request: invalid user ccadm Mar 30 14:29:05 akba

Re: [Samba] Samba Authentication wrecking my head [ADS]

[Brian O'Mahony]

samba3-3.4.11-42.el5

However I have moved to using idmap_rid, as I will have cold standbys of 
machines that I want to be able to access SAN data, with the same IDs.

So how does one go about clearing the samba user cache? I had it set up with 
users starting at 1. With RID I have now brought this down to 500 (so I can 
easily see the difference). I deleted the winbindd_* files & folder in 
/var/lib/samba, but when I use a "getent passwd brian.omahony" its showing the 
id as 10

Thanks

B

-Original Message-
From: samba-boun...@lists.samba.org [mailto:samba-boun...@lists.samba.org] On 
Behalf Of Gaiseric Vandal
Sent: Wednesday, March 30, 2011 4:28 PM
To: Samba
Subject: Re: [Samba] Samba Authentication wrecking my head [ADS]

What version of samba?  I found that samba 3.0.x (as bundled with
solaris) had problems with idmap.  This was with LDAP backend, a Samba DC with 
trusts to Windows 2003 domain  (in  NT domain compatibility
mode.)  Samba would allocate idmap entries in ldap, and would populate the TDB 
cache files.  but when the cache timeout expired, the cache files were not 
repopulated.

Long and short- I don't think Samba 3.0.x plays nice with Windows 
2003.   It doesn't work with Windows 2008 domains (2003 mode.)




On 03/30/2011 10:07 AM, Brian O'Mahony wrote:
> After a bit of googling, I found that the idmap has been corrupted. Why 
> would/could this happen?
>
> -Original Message-
> From: samba-boun...@lists.samba.org 
> [mailto:samba-boun...@lists.samba.org] On Behalf Of Brian O'Mahony
> Sent: Wednesday, March 30, 2011 2:37 PM
> To: samba@lists.samba.org
> Subject: [Samba] Samba Authentication wrecking my head [ADS]
>
> Ive recently installed three servers with RHEL5u5. After some messing on the 
> original, I got samba working with ADS authentication. I then went and got it 
> working so that users could log in using their domain name&  password to the 
> box. I got this working with both no restriction, and ADS group restriction. 
> I have left it on no restriction wheil I get these systems up and running.
>
> I then copied my configuration files (krb5.conf, samba.conf, 
> system-auth.conf) to the second machine. Everything works.  Rebooted, 
> everything is fine. System running as expected.
>
> I copied to the third machine. Everything worked fine. I was able to log in 
> using two users (mine and a colleagues). Set up some other machine stuff, 
> rebooted, and passed the machine over.
>
> I was then informed (naturally 5mins after I left the office) that there was 
> something wrong. Those two accounts worked from both a samba perspective, and 
> a login perspective. However a third account that was supposed to work, 
> failed with "su: user ccadm does not exist". Now samba doesn't work for any 
> user other than the original too, and the same goes for logins.
>
> I tried net ads leave, kdestory, renaming the system, rebooting. I have 
> rejoined the domain as both that system name, and a new one, with no issues:
> [root@akbarTRAP log]# wbinfo -t
> checking the trust secret via RPC calls succeeded [root@akbarTRAP 
> log]# net ads testjoin Join is OK [root@akbarTRAP log]# wbinfo -u | 
> grep ccadm Ccadm
>
> So my questions are:
>
>
> 1.   Where the hell are these accounts being cached, that work.
>
> 2.   What the hell has happened to make this no longer work.
>
> 3.   Why if I can see all the users&  groups can I not log in, or get 
> samba working.
>
> This is really starting to get on my nerves. I just cannot understand why if 
> it can see the users using wbinfo, why it is telling me they don't exist.
>
> Would really appreciate some help on this.
>
> Regards
> B
>
>
>
> [root@akbarTRAP etc]# cat /etc/nsswitch.conf | grep winbind
> passwd: files winbind
> shadow: files winbind
> group:  files winbind
>
> log.winbind:
> [2011/03/30 14:29:03,  3] 
> winbindd/winbindd_misc.c:754(winbindd_interface_version)
>[ 7381]: request interface version
> [2011/03/30 14:29:03,  3] winbindd/winbindd_misc.c:787(winbindd_priv_pipe_dir)
>[ 7381]: request location of privileged pipe
> [2011/03/30 14:29:03,  3] winbindd/winbindd_user.c:438(winbindd_getpwnam)
>[ 7381]: getpwnam ccadm
> [2011/03/30 14:29:05,  3] winbindd/winbindd_user.c:438(winbindd_getpwnam)
>[ 7381]: getpwnam ccadm
> [2011/03/30 14:29:05,  3] 
> winbindd/winbindd_misc.c:754(winbindd_interface_version)
>[ 7381]: request interface version
> [2011/03/30 14:29:05,  3] winbindd/winbindd_misc.c:787(winbindd_priv_pipe_dir)
>[ 7381]: request location of privileged pipe
> [2011/03/30 14:29:05,  3] winbindd/winbindd_pam.c:829(winbindd_pam_auth)
>[ 7381]: pam auth ccadm
>

Re: [Samba] Samba Authentication wrecking my head [ADS]

[Gaiseric Vandal]

What version of samba?  I found that samba 3.0.x (as bundled with 
solaris) had problems with idmap.  This was with LDAP backend, a Samba 
DC with trusts to Windows 2003 domain  (in  NT domain compatibility 
mode.)  Samba would allocate idmap entries in ldap, and would populate 
the TDB cache files.  but when the cache timeout expired, the cache 
files were not repopulated.


Long and short- I don't think Samba 3.0.x plays nice with Windows 
2003.   It doesn't work with Windows 2008 domains (2003 mode.)





On 03/30/2011 10:07 AM, Brian O'Mahony wrote:

After a bit of googling, I found that the idmap has been corrupted. Why 
would/could this happen?

-Original Message-
From: samba-boun...@lists.samba.org [mailto:samba-boun...@lists.samba.org] On 
Behalf Of Brian O'Mahony
Sent: Wednesday, March 30, 2011 2:37 PM
To: samba@lists.samba.org
Subject: [Samba] Samba Authentication wrecking my head [ADS]

Ive recently installed three servers with RHEL5u5. After some messing on the 
original, I got samba working with ADS authentication. I then went and got it 
working so that users could log in using their domain name&  password to the 
box. I got this working with both no restriction, and ADS group restriction. I have 
left it on no restriction wheil I get these systems up and running.

I then copied my configuration files (krb5.conf, samba.conf, system-auth.conf) 
to the second machine. Everything works.  Rebooted, everything is fine. System 
running as expected.

I copied to the third machine. Everything worked fine. I was able to log in 
using two users (mine and a colleagues). Set up some other machine stuff, 
rebooted, and passed the machine over.

I was then informed (naturally 5mins after I left the office) that there was something 
wrong. Those two accounts worked from both a samba perspective, and a login perspective. 
However a third account that was supposed to work, failed with "su: user ccadm does 
not exist". Now samba doesn't work for any user other than the original too, and the 
same goes for logins.

I tried net ads leave, kdestory, renaming the system, rebooting. I have 
rejoined the domain as both that system name, and a new one, with no issues:
[root@akbarTRAP log]# wbinfo -t
checking the trust secret via RPC calls succeeded [root@akbarTRAP log]# net ads 
testjoin Join is OK [root@akbarTRAP log]# wbinfo -u | grep ccadm Ccadm

So my questions are:


1.   Where the hell are these accounts being cached, that work.

2.   What the hell has happened to make this no longer work.

3.   Why if I can see all the users&  groups can I not log in, or get samba 
working.

This is really starting to get on my nerves. I just cannot understand why if it 
can see the users using wbinfo, why it is telling me they don't exist.

Would really appreciate some help on this.

Regards
B



[root@akbarTRAP etc]# cat /etc/nsswitch.conf | grep winbind
passwd: files winbind
shadow: files winbind
group:  files winbind

log.winbind:
[2011/03/30 14:29:03,  3] 
winbindd/winbindd_misc.c:754(winbindd_interface_version)
   [ 7381]: request interface version
[2011/03/30 14:29:03,  3] winbindd/winbindd_misc.c:787(winbindd_priv_pipe_dir)
   [ 7381]: request location of privileged pipe
[2011/03/30 14:29:03,  3] winbindd/winbindd_user.c:438(winbindd_getpwnam)
   [ 7381]: getpwnam ccadm
[2011/03/30 14:29:05,  3] winbindd/winbindd_user.c:438(winbindd_getpwnam)
   [ 7381]: getpwnam ccadm
[2011/03/30 14:29:05,  3] 
winbindd/winbindd_misc.c:754(winbindd_interface_version)
   [ 7381]: request interface version
[2011/03/30 14:29:05,  3] winbindd/winbindd_misc.c:787(winbindd_priv_pipe_dir)
   [ 7381]: request location of privileged pipe
[2011/03/30 14:29:05,  3] winbindd/winbindd_pam.c:829(winbindd_pam_auth)
   [ 7381]: pam auth ccadm
[2011/03/30 14:29:05,  3] winbindd/winbindd_user.c:438(winbindd_getpwnam)
   [ 7381]: getpwnam ccadm

Secure log:
Mar 30 14:29:03 akbartrap sshd[7381]: Invalid user ccadm from 172.16.165.248 Mar 30 14:29:03 akbartrap sshd[7382]: input_userauth_request: invalid user ccadm Mar 30 14:29:05 akbartrap sshd[7381]: pam_unix(sshd:auth): check pass; user unknown Mar 30 14:29:05 akbartrap sshd[7381]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=galvatron.MYDOMAIN.com Mar 30 14:29:05 akbartrap sshd[7381]: pam_winbind(sshd:auth): getting password (0x0010) Mar 30 14:29:05 akbartrap sshd[7381]: pam_winbind(sshd:auth): pam_get_item returned a password Mar 30 14:29:05 akbartrap sshd[7381]: pam_winbind(sshd:auth): request wbcLogonUser failed: WBC_ERR_AUTH_ERROR, PAM error: PAM_AUTH_ERR (7), NTSTATUS: NT_STATUS_WRONG_PASSWORD, Error message was: Wrong Password [I know the pass is right here. It works elsewhere] Mar 30 14:29:05 akbartrap sshd[7381]: pam_winbind(sshd:auth): user 'ccadm' denied access (incorrect password or invalid membership) Mar 30 14:29:05 

ak

  bartrap sshd[7381]: pam_succe

Re: [Samba] Samba Authentication wrecking my head [ADS]

[Brian O'Mahony]

After a bit of googling, I found that the idmap has been corrupted. Why 
would/could this happen?

-Original Message-
From: samba-boun...@lists.samba.org [mailto:samba-boun...@lists.samba.org] On 
Behalf Of Brian O'Mahony
Sent: Wednesday, March 30, 2011 2:37 PM
To: samba@lists.samba.org
Subject: [Samba] Samba Authentication wrecking my head [ADS]

Ive recently installed three servers with RHEL5u5. After some messing on the 
original, I got samba working with ADS authentication. I then went and got it 
working so that users could log in using their domain name & password to the 
box. I got this working with both no restriction, and ADS group restriction. I 
have left it on no restriction wheil I get these systems up and running.

I then copied my configuration files (krb5.conf, samba.conf, system-auth.conf) 
to the second machine. Everything works.  Rebooted, everything is fine. System 
running as expected.

I copied to the third machine. Everything worked fine. I was able to log in 
using two users (mine and a colleagues). Set up some other machine stuff, 
rebooted, and passed the machine over.

I was then informed (naturally 5mins after I left the office) that there was 
something wrong. Those two accounts worked from both a samba perspective, and a 
login perspective. However a third account that was supposed to work, failed 
with "su: user ccadm does not exist". Now samba doesn't work for any user other 
than the original too, and the same goes for logins.

I tried net ads leave, kdestory, renaming the system, rebooting. I have 
rejoined the domain as both that system name, and a new one, with no issues:
[root@akbarTRAP log]# wbinfo -t
checking the trust secret via RPC calls succeeded [root@akbarTRAP log]# net ads 
testjoin Join is OK [root@akbarTRAP log]# wbinfo -u | grep ccadm Ccadm

So my questions are:


1.   Where the hell are these accounts being cached, that work.

2.   What the hell has happened to make this no longer work.

3.   Why if I can see all the users & groups can I not log in, or get samba 
working.

This is really starting to get on my nerves. I just cannot understand why if it 
can see the users using wbinfo, why it is telling me they don't exist.

Would really appreciate some help on this.

Regards
B



[root@akbarTRAP etc]# cat /etc/nsswitch.conf | grep winbind
passwd: files winbind
shadow: files winbind
group:  files winbind

log.winbind:
[2011/03/30 14:29:03,  3] 
winbindd/winbindd_misc.c:754(winbindd_interface_version)
  [ 7381]: request interface version
[2011/03/30 14:29:03,  3] winbindd/winbindd_misc.c:787(winbindd_priv_pipe_dir)
  [ 7381]: request location of privileged pipe
[2011/03/30 14:29:03,  3] winbindd/winbindd_user.c:438(winbindd_getpwnam)
  [ 7381]: getpwnam ccadm
[2011/03/30 14:29:05,  3] winbindd/winbindd_user.c:438(winbindd_getpwnam)
  [ 7381]: getpwnam ccadm
[2011/03/30 14:29:05,  3] 
winbindd/winbindd_misc.c:754(winbindd_interface_version)
  [ 7381]: request interface version
[2011/03/30 14:29:05,  3] winbindd/winbindd_misc.c:787(winbindd_priv_pipe_dir)
  [ 7381]: request location of privileged pipe
[2011/03/30 14:29:05,  3] winbindd/winbindd_pam.c:829(winbindd_pam_auth)
  [ 7381]: pam auth ccadm
[2011/03/30 14:29:05,  3] winbindd/winbindd_user.c:438(winbindd_getpwnam)
  [ 7381]: getpwnam ccadm

Secure log:
Mar 30 14:29:03 akbartrap sshd[7381]: Invalid user ccadm from 172.16.165.248 
Mar 30 14:29:03 akbartrap sshd[7382]: input_userauth_request: invalid user 
ccadm Mar 30 14:29:05 akbartrap sshd[7381]: pam_unix(sshd:auth): check pass; 
user unknown Mar 30 14:29:05 akbartrap sshd[7381]: pam_unix(sshd:auth): 
authentication failure; logname= uid=0 euid=0 tty=ssh ruser= 
rhost=galvatron.MYDOMAIN.com Mar 30 14:29:05 akbartrap sshd[7381]: 
pam_winbind(sshd:auth): getting password (0x0010) Mar 30 14:29:05 akbartrap 
sshd[7381]: pam_winbind(sshd:auth): pam_get_item returned a password Mar 30 
14:29:05 akbartrap sshd[7381]: pam_winbind(sshd:auth): request wbcLogonUser 
failed: WBC_ERR_AUTH_ERROR, PAM error: PAM_AUTH_ERR (7), NTSTATUS: 
NT_STATUS_WRONG_PASSWORD, Error message was: Wrong Password [I know the pass is 
right here. It works elsewhere] Mar 30 14:29:05 akbartrap sshd[7381]: 
pam_winbind(sshd:auth): user 'ccadm' denied access (incorrect password or 
invalid membership) Mar 30 14:29:05 ak
 bartrap sshd[7381]: pam_succeed_if(sshd:auth): error retrieving information 
about user ccadm Mar 30 14:29:07 akbartrap sshd[7381]: Failed password for 
invalid user ccadm from 172.16.165.248 port 39699 ssh2


# Global parameters
[global]
workgroup = GROUP
realm = MYDOMAIN.COM
security = ads
idmap uid = 1-2
idmap gid = 1-2
winbind use default domain = Yes
winbind separator = /
encrypt passwords = Yes
log level = 3
log file = /var/log/samba/log.%m
max log size = 50
socket options = 

[Samba] Samba Authentication wrecking my head [ADS]

[Brian O'Mahony]

Ive recently installed three servers with RHEL5u5. After some messing on the 
original, I got samba working with ADS authentication. I then went and got it 
working so that users could log in using their domain name & password to the 
box. I got this working with both no restriction, and ADS group restriction. I 
have left it on no restriction wheil I get these systems up and running.

I then copied my configuration files (krb5.conf, samba.conf, system-auth.conf) 
to the second machine. Everything works.  Rebooted, everything is fine. System 
running as expected.

I copied to the third machine. Everything worked fine. I was able to log in 
using two users (mine and a colleagues). Set up some other machine stuff, 
rebooted, and passed the machine over.

I was then informed (naturally 5mins after I left the office) that there was 
something wrong. Those two accounts worked from both a samba perspective, and a 
login perspective. However a third account that was supposed to work, failed 
with "su: user ccadm does not exist". Now samba doesn't work for any user other 
than the original too, and the same goes for logins.

I tried net ads leave, kdestory, renaming the system, rebooting. I have 
rejoined the domain as both that system name, and a new one, with no issues:
[root@akbarTRAP log]# wbinfo -t
checking the trust secret via RPC calls succeeded
[root@akbarTRAP log]# net ads testjoin
Join is OK
[root@akbarTRAP log]# wbinfo -u | grep ccadm
Ccadm

So my questions are:


1.   Where the hell are these accounts being cached, that work.

2.   What the hell has happened to make this no longer work.

3.   Why if I can see all the users & groups can I not log in, or get samba 
working.

This is really starting to get on my nerves. I just cannot understand why if it 
can see the users using wbinfo, why it is telling me they don't exist.

Would really appreciate some help on this.

Regards
B



[root@akbarTRAP etc]# cat /etc/nsswitch.conf | grep winbind
passwd: files winbind
shadow: files winbind
group:  files winbind

log.winbind:
[2011/03/30 14:29:03,  3] 
winbindd/winbindd_misc.c:754(winbindd_interface_version)
  [ 7381]: request interface version
[2011/03/30 14:29:03,  3] winbindd/winbindd_misc.c:787(winbindd_priv_pipe_dir)
  [ 7381]: request location of privileged pipe
[2011/03/30 14:29:03,  3] winbindd/winbindd_user.c:438(winbindd_getpwnam)
  [ 7381]: getpwnam ccadm
[2011/03/30 14:29:05,  3] winbindd/winbindd_user.c:438(winbindd_getpwnam)
  [ 7381]: getpwnam ccadm
[2011/03/30 14:29:05,  3] 
winbindd/winbindd_misc.c:754(winbindd_interface_version)
  [ 7381]: request interface version
[2011/03/30 14:29:05,  3] winbindd/winbindd_misc.c:787(winbindd_priv_pipe_dir)
  [ 7381]: request location of privileged pipe
[2011/03/30 14:29:05,  3] winbindd/winbindd_pam.c:829(winbindd_pam_auth)
  [ 7381]: pam auth ccadm
[2011/03/30 14:29:05,  3] winbindd/winbindd_user.c:438(winbindd_getpwnam)
  [ 7381]: getpwnam ccadm

Secure log:
Mar 30 14:29:03 akbartrap sshd[7381]: Invalid user ccadm from 172.16.165.248
Mar 30 14:29:03 akbartrap sshd[7382]: input_userauth_request: invalid user ccadm
Mar 30 14:29:05 akbartrap sshd[7381]: pam_unix(sshd:auth): check pass; user 
unknown
Mar 30 14:29:05 akbartrap sshd[7381]: pam_unix(sshd:auth): authentication 
failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=galvatron.MYDOMAIN.com
Mar 30 14:29:05 akbartrap sshd[7381]: pam_winbind(sshd:auth): getting password 
(0x0010)
Mar 30 14:29:05 akbartrap sshd[7381]: pam_winbind(sshd:auth): pam_get_item 
returned a password
Mar 30 14:29:05 akbartrap sshd[7381]: pam_winbind(sshd:auth): request 
wbcLogonUser failed: WBC_ERR_AUTH_ERROR, PAM error: PAM_AUTH_ERR (7), NTSTATUS: 
NT_STATUS_WRONG_PASSWORD, Error message was: Wrong Password [I know the pass is 
right here. It works elsewhere]
Mar 30 14:29:05 akbartrap sshd[7381]: pam_winbind(sshd:auth): user 'ccadm' 
denied access (incorrect password or invalid membership)
Mar 30 14:29:05 akbartrap sshd[7381]: pam_succeed_if(sshd:auth): error 
retrieving information about user ccadm
Mar 30 14:29:07 akbartrap sshd[7381]: Failed password for invalid user ccadm 
from 172.16.165.248 port 39699 ssh2


# Global parameters
[global]
workgroup = GROUP
realm = MYDOMAIN.COM
security = ads
idmap uid = 1-2
idmap gid = 1-2
winbind use default domain = Yes
winbind separator = /
encrypt passwords = Yes
log level = 3
log file = /var/log/samba/log.%m
max log size = 50
socket options = TCP_NODELAY SO_RCVBUF=16384 SO_SNDBUF=16384
preferred master = No
dns proxy = No
wins server = 172.16.164.100
template homedir = /home/%U
template shell = /bin/bash

authrequired  pam_env.so
authsufficientpam_unix.so nullok try_first_pass
authsufficientpam_winbind.so use_first_pass
authrequisite pam_succeed_if.so uid >= 500 qui

Re: [Samba] Samba authentication problem

[TAKAHASHI Motonobu]

From: Xamindar 
Date: Thu, 24 Mar 2011 16:47:16 -0700

> > Sounds like a bug in your version of the cifsfs kernel
> > module. With security=share try connecting with the
> > same password using smbclient. If it correctly connects
> > then it's cifsfs screwing up somehow.
> > 
> > Jeremy.
> It still rejects it with this messege:
> 
> # smbclient //172.16.0.7/backup -U xamindar
> Enter xamindar's password:
> Domain=[RADNIMAX] OS=[Unix] Server=[Samba 3.5.8]
> Server not using user level security and no password supplied.
> Server requested LANMAN password (share-level security) but 'client
> lanman auth' is disabled
> tree connect failed: NT_STATUS_ACCESS_DENIED
> 
> I did type the password even though it is saying no password is
> supplied. I tried enabling 'client lanman auth' and restarting the
> server but I still get the same message when trying to connect.

As far as I examined with smbclient of Samba 3.5.8, the same issue
occurs but mount.cifs works well. 

My smb.conf:

-
[global]
  security = share

[tmp]
  path = /tmp
-

# /usr/local/samba/sbin/mount.cifs  //192.168.135.128/tmp /smb1 -o 
user=monyo%password

# df -k | grep /smb1
   7850996   2059428   5392756  28% /smb1

# /usr/local/samba/bin/smbclient //192.168.135.128/tmp -o monyo%password
Domain=[WORKGROUP] OS=[Unix] Server=[Samba 3.5.8]
Server not using user level security and no password supplied.
Server requested LANMAN password (share-level security) but 'client
lanman auth' is disabled

---
TAKAHASHI Motonobu 
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Samba authentication problem

[Xamindar]

On 03/24/2011 03:55 PM, Jeremy Allison wrote:
> On Thu, Mar 24, 2011 at 03:44:51PM -0700, Xamindar wrote:
>> On 03/24/2011 03:33 PM, Jeremy Allison wrote:
>>> Share level security doesn't automatically mean no password.
>>> Either use the password for user xamindar, or add 
>> Like I stated in the first post, it is not accepting the password for
>> "xamindar". It spits back that it is wrong and in the logs I see
>> "create_connection_server_info failed: NT_STATUS_WRONG_PASSWORD". The
>> password is correct. It works fine with security set to user. I have
>> tested with the mount command in linux and with a Vista machine, neither
>> are able to connect.
>>
>>>
>>> "map to guest = Bad Password"
>>>
>> When this is set it will ALWAYS connect as guest because it is not
>> accepting any valid passwords.
>>
>>> in the [global] section of your smb.conf. See the
>>> smb.conf man page for details.
>> Thanks for the recommendations.
>>>
>>> Jeremy.
>> Am I missing something vital when security is set to share?
> 
> Sounds like a bug in your version of the cifsfs kernel
> module. With security=share try connecting with the
> same password using smbclient. If it correctly connects
> then it's cifsfs screwing up somehow.
> 
> Jeremy.
It still rejects it with this messege:

# smbclient //172.16.0.7/backup -U xamindar
Enter xamindar's password:
Domain=[RADNIMAX] OS=[Unix] Server=[Samba 3.5.8]
Server not using user level security and no password supplied.
Server requested LANMAN password (share-level security) but 'client
lanman auth' is disabled
tree connect failed: NT_STATUS_ACCESS_DENIED

I did type the password even though it is saying no password is
supplied. I tried enabling 'client lanman auth' and restarting the
server but I still get the same message when trying to connect.
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Samba authentication problem

[Jeremy Allison]

On Thu, Mar 24, 2011 at 03:44:51PM -0700, Xamindar wrote:
> On 03/24/2011 03:33 PM, Jeremy Allison wrote:
> > Share level security doesn't automatically mean no password.
> > Either use the password for user xamindar, or add 
> Like I stated in the first post, it is not accepting the password for
> "xamindar". It spits back that it is wrong and in the logs I see
> "create_connection_server_info failed: NT_STATUS_WRONG_PASSWORD". The
> password is correct. It works fine with security set to user. I have
> tested with the mount command in linux and with a Vista machine, neither
> are able to connect.
> 
> > 
> > "map to guest = Bad Password"
> > 
> When this is set it will ALWAYS connect as guest because it is not
> accepting any valid passwords.
> 
> > in the [global] section of your smb.conf. See the
> > smb.conf man page for details.
> Thanks for the recommendations.
> > 
> > Jeremy.
> Am I missing something vital when security is set to share?

Sounds like a bug in your version of the cifsfs kernel
module. With security=share try connecting with the
same password using smbclient. If it correctly connects
then it's cifsfs screwing up somehow.

Jeremy.
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Samba authentication problem

[Xamindar]

On 03/24/2011 03:33 PM, Jeremy Allison wrote:
> Share level security doesn't automatically mean no password.
> Either use the password for user xamindar, or add 
Like I stated in the first post, it is not accepting the password for
"xamindar". It spits back that it is wrong and in the logs I see
"create_connection_server_info failed: NT_STATUS_WRONG_PASSWORD". The
password is correct. It works fine with security set to user. I have
tested with the mount command in linux and with a Vista machine, neither
are able to connect.

> 
> "map to guest = Bad Password"
> 
When this is set it will ALWAYS connect as guest because it is not
accepting any valid passwords.

> in the [global] section of your smb.conf. See the
> smb.conf man page for details.
Thanks for the recommendations.
> 
> Jeremy.
Am I missing something vital when security is set to share?
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Samba authentication problem

[Jeremy Allison]

On Thu, Mar 24, 2011 at 01:00:51PM -0700, Xamindar wrote:
> Hi, I have asked around in other forums but no one seems to know why
> this doesn't work.
> 
> I have a backup server with samba on it and am trying to set it up to
> only allow write access when a user authenticates but to allow reading
> from anyone (guest). At this time I have guest disabled and a minimal
> config set up as shown below to try to narrow down the problem.
> 
> I have added the user "xamindar" using smbpasswd on the server. I then
> tried to mount the backup share from another machine with the following
> command:
> mount -t cifs //chiroru/backup /mnt/temp -o username=xamindar
> 
> But I keep getting the following response:
> mount error(13): Permission denied
> Refer to the mount.cifs(8) manual page (e.g. man mount.cifs)
> 
> Can anyone tell me what I am doing wrong here? I am sure I have missed
> something. It is possible to authenticate per share with share level
> security is it not? I just can't get authentication to work no matter
> what I have tried on this machine. With guest enabled it will just use
> the guest account and that works fine.
> Thanks for any help, I am pulling my hair out here.

Share level security doesn't automatically mean no password.
Either use the password for user xamindar, or add 

"map to guest = Bad Password"

in the [global] section of your smb.conf. See the
smb.conf man page for details.

Jeremy.
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Samba authentication problem

[Xamindar]

That is the version of samba that I am running, but it does not work.
This is an Arch system and I doubt they would have changed it.

On 03/24/2011 03:16 PM, Jeremy Allison wrote:

> No, share level security, warts and all, still exists and
> works in 3.5.8.
>
> Jeremy.
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Samba authentication problem

[Jeremy Allison]

On Thu, Mar 24, 2011 at 03:14:54PM -0700, Xamindar wrote:
> In further testing, changing security to user gets authentication
> working. Does anyone know why the Samba team removed the possibility to
> authenticate with share based security? I would find it very usefull to
> be able to see the shares and then authenticate when connecting to one.
> Also, the help file (from swat) needs to be correctede to reflect this.
> The sections on security in the help file still states "Instead, the
> clients send authentication information (passwords) on a per-share
> basis, at the time they attempt to connect to that share" which
> apparently no longer works.

No, share level security, warts and all, still exists and
works in 3.5.8.

Jeremy.
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Samba authentication problem

[Xamindar]

In further testing, changing security to user gets authentication
working. Does anyone know why the Samba team removed the possibility to
authenticate with share based security? I would find it very usefull to
be able to see the shares and then authenticate when connecting to one.
Also, the help file (from swat) needs to be correctede to reflect this.
The sections on security in the help file still states "Instead, the
clients send authentication information (passwords) on a per-share
basis, at the time they attempt to connect to that share" which
apparently no longer works.

On 03/24/2011 01:00 PM, Xamindar wrote:
> Hi, I have asked around in other forums but no one seems to know why
> this doesn't work.
> 
> I have a backup server with samba on it and am trying to set it up to
> only allow write access when a user authenticates but to allow reading
> from anyone (guest). At this time I have guest disabled and a minimal
> config set up as shown below to try to narrow down the problem.
> 
> I have added the user "xamindar" using smbpasswd on the server. I then
> tried to mount the backup share from another machine with the following
> command:
> mount -t cifs //chiroru/backup /mnt/temp -o username=xamindar
> 
> But I keep getting the following response:
> mount error(13): Permission denied
> Refer to the mount.cifs(8) manual page (e.g. man mount.cifs)
> 
> Can anyone tell me what I am doing wrong here? I am sure I have missed
> something. It is possible to authenticate per share with share level
> security is it not? I just can't get authentication to work no matter
> what I have tried on this machine. With guest enabled it will just use
> the guest account and that works fine.
> Thanks for any help, I am pulling my hair out here.
> 
> 
> ***smb.conf***
> [global]
> server string = Backup and Multimedia server
> security = SHARE
> smb passwd file = /etc/samba/private/passdb.tdb
> load printers = No
> disable spoolss = Yes
> show add printer wizard = No
> write list = xamindar
> printing = bsd
> print command = lpr -r -P'%p' %s
> lpq command = lpq -P'%p'
> lprm command = lprm -P'%p' %j
> map hidden = Yes
> map system = Yes
> 
> [backup]
> path = /mnt/user/backup
> 
> **
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

[Samba] Samba authentication problem

[Xamindar]

Hi, I have asked around in other forums but no one seems to know why
this doesn't work.

I have a backup server with samba on it and am trying to set it up to
only allow write access when a user authenticates but to allow reading
from anyone (guest). At this time I have guest disabled and a minimal
config set up as shown below to try to narrow down the problem.

I have added the user "xamindar" using smbpasswd on the server. I then
tried to mount the backup share from another machine with the following
command:
mount -t cifs //chiroru/backup /mnt/temp -o username=xamindar

But I keep getting the following response:
mount error(13): Permission denied
Refer to the mount.cifs(8) manual page (e.g. man mount.cifs)

Can anyone tell me what I am doing wrong here? I am sure I have missed
something. It is possible to authenticate per share with share level
security is it not? I just can't get authentication to work no matter
what I have tried on this machine. With guest enabled it will just use
the guest account and that works fine.
Thanks for any help, I am pulling my hair out here.


***smb.conf***
[global]
server string = Backup and Multimedia server
security = SHARE
smb passwd file = /etc/samba/private/passdb.tdb
load printers = No
disable spoolss = Yes
show add printer wizard = No
write list = xamindar
printing = bsd
print command = lpr -r -P'%p' %s
lpq command = lpq -P'%p'
lprm command = lprm -P'%p' %j
map hidden = Yes
map system = Yes

[backup]
path = /mnt/user/backup

**
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

[Samba] samba authentication fails with trusted domain

[Peter]

We are using samba with domain authentication against a windows AD.
The account domain is AA.
All our hosts (windows and samba systems) and a few generic user accounts
are in a domain TT which trust the accounts from AA.
In Short our smbd.conf has:
 . . .
 security = domain
 workgroup = TT
 . . .
Normally a user logs on with the user account from AA as AA\userID.
We use users.map to map UXlogon = AA\userID

With Redhat EL5, Ubuntu Karmic (and also Lucid) these users have no problem
to access shares.
The samba daemon properly authenticates against the domain controller and
allows access to the local share UXlogon without any login dialog.
Things are different though if a user is logged in as TT\userID and tries to
access a samba share.
With Redhat things work like before.
With Ubuntu though I do not see any authentication dialog with the domain
controller and smbd tries to find the user in smbpasswd which of course is
not there.
Thus the user is denied to access.
I do not understand why there is no request to the domain controller.
As a workaround I issued smbpasswd -a TTuserID and the user from TT can now
also access the share as expected.
Although this has solved the problem for me I still regard it as a bug. If
security = domain is used the correct behaviour should be to authenticate
all requests against the domain controller .
Because Redhat does it correctly I think that there was something wrong in
Ubuntu.
Unfortunately there is no Ubuntu forum for samba, launchpad bug tracking
just points to the samba team.
I hope that someone here can shine a light on this problem and it does not
become a game of back and forth between samba and ubuntu guys.

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Samba Authentication - User ID Pass-Thru?

[tms3]

SNIP

Now the issue I'm having may not have a workaround, but I'm just 
looking for
ideas.  When users on the client (any computer on the network) write a 
file
to the "server" that they see, it is in turn writing back to the Samba 
share
on the file server.  Thus, no matter who writes the file, it's written 
to
the actual filesystem as the user by which the gateway mounts the 
share on
the file server.  Can anybody think of any way to pass along the user 
ID up
the chain so that it's written to the filesystem as the originating 
user?
Long and short of it no.  This can also cause some serious other 
problems.  Don't know why you want to do this, but here's a solution.


(Using LDAP backend would make this spiffy,  but this should be ok)

On the server where stuff actually rights, share that as an NFS share 
and mount it on the "Gateway" server.  Then share the nfs mount point 
via samba.  The LDAP part comes in because you can have both servers 
using ldap for users and groups and keep your permissions and UID/GID 
stuff global.



I
can make sure the user accounts line up on the two servers, that's no 
big

deal.  I'm just wondering if it's possible.

It's not a showstopper for me if everything gets written as the same 
user, I
can deal with that.  (Although I am having issues with create masks 
and

group writability, but that's for another time.)  I'm just tossing the
question out to the group to see if it's anything that's been dealt 
with
before or anything interesting enough to warrant 
discussion/collaboration.


The answer might even be to use something other than Samba between the
gateway server and the file server.  I'm certainly open to suggestions 
on
that.  The only other related technology with which I have any 
experience is
NFS and I chose Samba over that simply for the stability and 
robustness in
unexpected situations.  It's been my experience in the past that NFS 
gets
pretty unstable when the network connection drops and can hang a 
machine's
shutdown procedures.  This is to be avoided in this particular 
situation

because, in the event of a power failure detected by the UPS, properly
stopping the services and unmounting the filesystem cleanly are 
critical.
The _only_ job of the file server on the back end is to protect the 
data.


If anybody has any suggestions I'd really appreciate it.  Thanks!


--
Regards,
David P. Donahue

"It's hard enough to live in a world where you grow old and die, why 
be

disharmonious?"
- Jack Kerouac
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

[Samba] Samba Authentication - User ID Pass-Thru?

[David P. Donahue]

I probably have an odd setup, so please bear with me.  To simplify as much
as possible, I have two servers and a client.  The first server is the
back-end file server and is accessible only by the second ("gateway")
server.  (The second server has dual ethernet, one of which is a crossover
to the file server.)  The file server has a Samba share that's pretty simple
and open, and the gateway server mounts it.  Then the gateway server has a
Samba share at that mount point to share the back-end server out to the
network.  Again, bear with me on that :)

Now the issue I'm having may not have a workaround, but I'm just looking for
ideas.  When users on the client (any computer on the network) write a file
to the "server" that they see, it is in turn writing back to the Samba share
on the file server.  Thus, no matter who writes the file, it's written to
the actual filesystem as the user by which the gateway mounts the share on
the file server.  Can anybody think of any way to pass along the user ID up
the chain so that it's written to the filesystem as the originating user?  I
can make sure the user accounts line up on the two servers, that's no big
deal.  I'm just wondering if it's possible.

It's not a showstopper for me if everything gets written as the same user, I
can deal with that.  (Although I am having issues with create masks and
group writability, but that's for another time.)  I'm just tossing the
question out to the group to see if it's anything that's been dealt with
before or anything interesting enough to warrant discussion/collaboration.

The answer might even be to use something other than Samba between the
gateway server and the file server.  I'm certainly open to suggestions on
that.  The only other related technology with which I have any experience is
NFS and I chose Samba over that simply for the stability and robustness in
unexpected situations.  It's been my experience in the past that NFS gets
pretty unstable when the network connection drops and can hang a machine's
shutdown procedures.  This is to be avoided in this particular situation
because, in the event of a power failure detected by the UPS, properly
stopping the services and unmounting the filesystem cleanly are critical.
 The _only_ job of the file server on the back end is to protect the data.

If anybody has any suggestions I'd really appreciate it.  Thanks!


--
Regards,
David P. Donahue

"It's hard enough to live in a world where you grow old and die, why be
disharmonious?"
- Jack Kerouac
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Samba Authentication with a windows password server

[wispa]

Hello Vishesh,

Thank you for the reply.
I'm not too familiar with the network, I've only been given access to the
linux machine so I'm unsure if there's a machine / workgroup name conflict.
It's something I shall have to investigate.

Here is a copy of the current smb.conf file (I've modified the workgroup /
domain):

[global]
#security = domain
security = ads
netbios name = WORKGROUP
#realm = WORKGROUP
realm = CORP.DOMAIN.COM
preferred master = no
password server = dc1.corp.domain.com
workgroup = WORKGROUP
idmap uid = 5000-1000
idmap gid = 5000-1000
winbind separator = +
#winbind enum users = no
#winbind enum groups = no
#winbind use default domain = yes
template homedir = /home/%d/%u
template shell = /bin/bash
#client use spnego = yes
#domain master = no
;   server string = samba 3.2.3
#   encrypt passwords = yes
;   guest ok = yes
;   guest account = nobody
#   os level = 128


Thanks again.






vishesh kumar wrote:
> 
> Dear wispa
>   does machine name or workgroup name collide in your network.
> Send smb.conf configuration for detail analysis
> 
> thanks
> 
> 

-- 
View this message in context: 
http://www.nabble.com/Samba-Authentication-with-a-windows-password-server-tp25752970p25782978.html
Sent from the Samba - General mailing list archive at Nabble.com.

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Samba Authentication with a windows password server

[vishesh kumar]

Dear wispa
  does machine name or workgroup name collide in your network.
Send smb.conf configuration for detail analysis

thanks


On Mon, Oct 5, 2009 at 9:03 PM, wispa  wrote:

>
> Hi all,
>
> I'm trying to set up Samba on a client's computer so that it authenticates
> the users which are accessing it via a windows domain controller and
> kerberos. I've been following various tutorials and it all seems to go
> through correctly but when the client tries to access the shares, it
> doesn't
> accept his credentials and won't get past the login window.
>
> The only failure seems to be within the nmbd log which says this (I've
> changed the domain name / IPs):
>
> [2009/10/05 16:27:43,  0]
> nmbd/nmbd_nameregister.c:register_name_response(129)
>  register_name_response: server at IP 192.168.1.122 rejected our name
> registration of DOMAIN<00> IP 192.168.1.120 with error code 6.
> [2009/10/05 16:27:43,  0] nmbd/nmbd_mynames.c:my_name_register_failed(35)
>  my_name_register_failed: Failed to register my name DOMAIN<00> on subnet
> 192.168.1.120.
>
> Now the odd thing is that 192.168.1.120 is the samba machine but
> 192.168.1.120 is a proxy server and doesn't seem to be referenced anywhere.
> Could this be a result of the windows machines not being set up correctly
> or
> would this be something incorrectly set up on the linux machine?
>
> I can't seem to figure it out.
>
> Many thanks.
>
> Oliver
> --
> View this message in context:
> http://www.nabble.com/Samba-Authentication-with-a-windows-password-server-tp25752970p25752970.html
> Sent from the Samba - General mailing list archive at Nabble.com.
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>



-- 
http://linuxinterviews.blogspot.com
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

[Samba] Samba Authentication with a windows password server

[wispa]

Hi all, 

I'm trying to set up Samba on a client's computer so that it authenticates
the users which are accessing it via a windows domain controller and
kerberos. I've been following various tutorials and it all seems to go
through correctly but when the client tries to access the shares, it doesn't
accept his credentials and won't get past the login window.

The only failure seems to be within the nmbd log which says this (I've
changed the domain name / IPs):

[2009/10/05 16:27:43,  0]
nmbd/nmbd_nameregister.c:register_name_response(129)
  register_name_response: server at IP 192.168.1.122 rejected our name
registration of DOMAIN<00> IP 192.168.1.120 with error code 6.
[2009/10/05 16:27:43,  0] nmbd/nmbd_mynames.c:my_name_register_failed(35)
  my_name_register_failed: Failed to register my name DOMAIN<00> on subnet
192.168.1.120.

Now the odd thing is that 192.168.1.120 is the samba machine but
192.168.1.120 is a proxy server and doesn't seem to be referenced anywhere.
Could this be a result of the windows machines not being set up correctly or
would this be something incorrectly set up on the linux machine?

I can't seem to figure it out.

Many thanks.

Oliver
-- 
View this message in context: 
http://www.nabble.com/Samba-Authentication-with-a-windows-password-server-tp25752970p25752970.html
Sent from the Samba - General mailing list archive at Nabble.com.

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] samba authentication via pam_pwdfile

[Charles Yost]

On Sep 29, 2009, at 6:47 AM, Adam Tauno Williams wrote:


Because it doesn't work;  at least not without hacking every Windows
client.  [Does that even still work anymore?  I don't know,  it really
is not a reasonable/maintainable thing to do].

You need to either setup an LDAP DSA and use that for authentication  
and
have Samba use that too (as a DC).  Or setup Samba as a NT4 PDC and  
use
that for authentication.  PAM is, practically speaking, a lost cause  
for

Windows clients - for technical/implementation reasons it can't work
well.


I apologize, I suppose I left some details out. I am not trying to  
setup a domain, or even share printers. All that I am looking to  
accomplish with my samba implementation is sharing a couple of  
directories on the server to a few independent windows machines. I  
don't need users to authenticate across a domain, just to be able to  
have access to the shares based on username restrictions. I can get  
this working just fine using the smbpasswd file, but I am trying to  
unify the passwords used for several services. I am sure it can be  
done because there is a whole chapter in the samba documentation on  
using PAM with winbind on a samba machine when you need to  
authenticate to an existing domain.

=>Charles
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] samba authentication via pam_pwdfile

[Adam Tauno Williams]

On Mon, 2009-09-28 at 18:37 -0400, Charles Yost wrote:
> I'm attempting to setup samba authentication via PAM and more  
> specifically the pam_pwdfile module. So far I have had trouble  
> determining the right mix of global settings to get this to work. I  
> have read through many tutorials online, but so far I have not found  
> good documentation on how to achieve this.

Because it doesn't work;  at least not without hacking every Windows
client.  [Does that even still work anymore?  I don't know,  it really
is not a reasonable/maintainable thing to do].

You need to either setup an LDAP DSA and use that for authentication and
have Samba use that too (as a DC).  Or setup Samba as a NT4 PDC and use
that for authentication.  PAM is, practically speaking, a lost cause for
Windows clients - for technical/implementation reasons it can't work
well.

-- 
OpenGroupware developer: awill...@whitemice.org

OpenGroupare & Cyrus IMAPd documenation @



signature.asc
Description: This is a digitally signed message part
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

[Samba] samba authentication via pam_pwdfile

[Charles Yost]

I'm attempting to setup samba authentication via PAM and more  
specifically the pam_pwdfile module. So far I have had trouble  
determining the right mix of global settings to get this to work. I  
have read through many tutorials online, but so far I have not found  
good documentation on how to achieve this. What I am really attempting  
to do is unify the credentials for access to the server though ftp,  
apache, and samba. I _do not_ want to link the linux shell credentials  
to this for various reasons including security. Any helpful  
suggestions would be appreciated.

=>Charles
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Samba authentication against Linux-based Kerberos

[Robert Markula]

David Markey wrote:
> Otherwise you could do some pam hackery, perhaps stacking pam_winbind and
> pam_krb5 for password changing. You would have to do this on all the nodes
> on your network. and for the windows side of things you could write a
> password change script, which would be called by samba on a password
> change.

Thanks David!
Heimdal Kerberos is - in our case - no solution, as we're using MIT
Kerberos. So it's either some "pam hackery" (in which case the
distribution of the changes would pose no problems as all of our nodes
are configured centrally via cfengine) or we'll leave it the way it is
(advising users to change their passwords twice). I'll have a look at it
and see if I've got the time to dig deeper into this topic.

If anybody has ever done such a thing - don't be shy and share your
knowledge!

Cheers,
Robert

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Samba authentication against Linux-based Kerberos

[David Markey]

Use the popular heimdal, openldap + smbk5pwd, samba3 combo

This will keep samba/ldap/kerberos passwords in sync no matter how or where
the password is changed.


Otherwise you could do some pam hackery, perhaps stacking pam_winbind and
pam_krb5 for password changing. You would have to do this on all the nodes
on your network. and for the windows side of things you could write a
password change script, which would be called by samba on a password
change.
 


On Tue, 01 Sep 2009 16:48:01 +0200, Robert Markula 
wrote:
> Hi,
> please consider the following situation in a heterogenous, Windows
> Server-less network, where users use both Windows and Linux:
> 
> - On Windows users authenticate against a Samba 3.3.2 PDC with tdbsam
> backend.
> - On Linux users authenticate against a combination of OpenLDAP and
> Kerberos.
> 
> This, of course, brings up the old problem that users have to
> synchronise their passwords manually for both Windows and Linux.
> 
> The ideal solution would be that Samba would just support authentication
> against Linux-based Kerberos, but (correct me if I'm wrong) that doesn't
> seem possible with Samba3.
> 
> Is there anything else that can be done? So if users on Windows can't
> use Linux-based Kerberos for SSO, maybe there is at least a way for
> users to change their passwords on one OS and get it automatically
> synced for the other (i.e. if a user changes his password on a Windows
> machine it gets automatically changed for his Linux account as well and
> vice versa)?
> 
> Cheers,
> Robert
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

[Samba] Samba authentication against Linux-based Kerberos

[Robert Markula]

Hi,
please consider the following situation in a heterogenous, Windows
Server-less network, where users use both Windows and Linux:

- On Windows users authenticate against a Samba 3.3.2 PDC with tdbsam
backend.
- On Linux users authenticate against a combination of OpenLDAP and
Kerberos.

This, of course, brings up the old problem that users have to
synchronise their passwords manually for both Windows and Linux.

The ideal solution would be that Samba would just support authentication
against Linux-based Kerberos, but (correct me if I'm wrong) that doesn't
seem possible with Samba3.

Is there anything else that can be done? So if users on Windows can't
use Linux-based Kerberos for SSO, maybe there is at least a way for
users to change their passwords on one OS and get it automatically
synced for the other (i.e. if a user changes his password on a Windows
machine it gets automatically changed for his Linux account as well and
vice versa)?

Cheers,
Robert
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Samba authentication

[Lukas Hejtmanek]

On Tue, Aug 18, 2009 at 04:24:31PM -0400, Robert Freeman-Day wrote:
> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA1
> 
> Have you tried putting the following line in the [global] section of
> your smb.conf file?
> 
> client ntlmv2 auth = yes

and what should I put there if I want to authenticate with radius server and
not with ADS?

-- 
Lukáš Hejtmánek
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Samba authentication

[Robert Freeman-Day]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Have you tried putting the following line in the [global] section of
your smb.conf file?

client ntlmv2 auth = yes

Lukas Hejtmanek wrote:
> Hello,
> 
> I wonder whether there is a way to authenticate samba against NTLM2 enabled
> radius server without using encrypt passwords = no.
> 
> I really have no other option than this. My situation is as follows.
> I have an organization that runs Microsoft Windows Server 2003 which is used
> as AD. This AD shares passwords with many information systems in our
> organisation and I would like to use these passwords also for samba users.
> 
> Administrators of AD disagree to add my samba server to their AD. No way here.
> They agree to export LDAP (without passwords), Kerberos or Radius and possibly
> other services but not AD itself.
> 
> Is there a way to authenticate my samba against their authentication service?
> If there is no way per-se, would it be possible to modify windbindd to
> authenticate via NTLM2 against the Radius server instead of AD?
> 

- --


Robert Freeman-Day

https://launchpad.net/~presgas
GPG Public Key:
http://keyserver.ubuntu.com:11371/pks/lookup?op=get&search=0xBA9DF9ED3E4C7D36
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iEYEARECAAYFAkqLDf8ACgkQup357T5MfTZPcQCfcOCy3tfJlr93q/0UyfDXwbP1
fk0An37iciENH9n71ovr0GqbnhYGcJn3
=u/SN
-END PGP SIGNATURE-
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

[Samba] Samba authentication

[Lukas Hejtmanek]

Hello,

I wonder whether there is a way to authenticate samba against NTLM2 enabled
radius server without using encrypt passwords = no.

I really have no other option than this. My situation is as follows.
I have an organization that runs Microsoft Windows Server 2003 which is used
as AD. This AD shares passwords with many information systems in our
organisation and I would like to use these passwords also for samba users.

Administrators of AD disagree to add my samba server to their AD. No way here.
They agree to export LDAP (without passwords), Kerberos or Radius and possibly
other services but not AD itself.

Is there a way to authenticate my samba against their authentication service?
If there is no way per-se, would it be possible to modify windbindd to
authenticate via NTLM2 against the Radius server instead of AD?

-- 
Lukáš Hejtmánek
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] samba authentication PAM/LDAP

[Gerald (Jerry) Carter]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

vishesh kumar wrote:

>   Does NT hashes require even if we use kerberos for authentication?.

I don't understand the context of this question. A Samba 3 DC
does not support kerb5 auth.  So you can only use the NTLM
authentication (which requires the NT hash).

A domain member server just uses the DC for authemtication and
so this question does seem to apply.

Did I miss something?




cheers, jerry
- --
=
Samba--- http://www.samba.org
Likewise Software  -  http://www.likewisesoftware.com
"What man is a man who does not make the world better?"  --Balian
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.2.2 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFJIs5GIR7qMdg1EfYRAnIIAJ4kNyXBd5zt5pEJ3h42uRnV71aDggCffAfs
vVy0SQF5XGYce0+ngJZtqJ4=
=/Fku
-END PGP SIGNATURE-
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

Re: [Samba] samba authentication PAM/LDAP

[vishesh kumar]

On Thu, Nov 13, 2008 at 4:22 AM, Volker Lendecke
<[EMAIL PROTECTED]>wrote:

> On Wed, Nov 12, 2008 at 03:41:12PM -0700, Christian McHugh wrote:
> > > On Wed, Nov 12, 2008 at 03:53:51PM -0500, Lenny Shovsky wrote:
> > > > Can Samba authenticate directly ( through pam_ldap ? ) via LDAP,
> which
> > > > only has Unix uids & password hashes ? Thank you.
> > >
> > > No. You need to store the NT hashes somewhere, either in
> > > LDAP or in another passdb backend.
> >
> > What about the nss winbind backend? Couldn't you setup nss_ldap and
> pam_ldap,
> > and still run a samba server with the nss winbind backend?
>
> Sure. But someone in the end must have the NT hashes. In the
> case of winbind it's a domain controller.
>
> Volker
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/listinfo/samba
>

dear all

  Does NT hashes require even if we use kerberos for authentication?.
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

Re: [Samba] samba authentication PAM/LDAP

[Volker Lendecke]

On Wed, Nov 12, 2008 at 03:41:12PM -0700, Christian McHugh wrote:
> > On Wed, Nov 12, 2008 at 03:53:51PM -0500, Lenny Shovsky wrote:
> > > Can Samba authenticate directly ( through pam_ldap ? ) via LDAP, which
> > > only has Unix uids & password hashes ? Thank you.
> >
> > No. You need to store the NT hashes somewhere, either in
> > LDAP or in another passdb backend.
> 
> What about the nss winbind backend? Couldn't you setup nss_ldap and pam_ldap, 
> and still run a samba server with the nss winbind backend?

Sure. But someone in the end must have the NT hashes. In the
case of winbind it's a domain controller.

Volker


pgph8M1dD8659.pgp
Description: PGP signature
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

Re: [Samba] samba authentication PAM/LDAP

[Christian McHugh]

> On Wed, Nov 12, 2008 at 03:53:51PM -0500, Lenny Shovsky wrote:
> > Can Samba authenticate directly ( through pam_ldap ? ) via LDAP, which
> > only has Unix uids & password hashes ? Thank you.
>
> No. You need to store the NT hashes somewhere, either in
> LDAP or in another passdb backend.

What about the nss winbind backend? Couldn't you setup nss_ldap and pam_ldap, 
and still run a samba server with the nss winbind backend?

If anyone has any tips for doing this I'd really like to know.

Thanks,
Christian McHugh
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

Re: [Samba] samba authentication PAM/LDAP

[Volker Lendecke]

On Wed, Nov 12, 2008 at 03:53:51PM -0500, Lenny Shovsky wrote:
> Can Samba authenticate directly ( through pam_ldap ? ) via LDAP, which
> only has Unix uids & password hashes ? Thank you.

No. You need to store the NT hashes somewhere, either in
LDAP or in another passdb backend.

Volker


pgpkGAbCyRdIG.pgp
Description: PGP signature
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

[Samba] samba authentication PAM/LDAP

[Lenny Shovsky]

Can Samba authenticate directly ( through pam_ldap ? ) via LDAP, which
only has Unix uids & password hashes ? Thank you.
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

RE: [Samba] Samba authentication using ADS

[Andrew Masterson]

Try this:

http://wiki.samba.org/index.php/Samba_&_Active_Directory


> -Original Message-
> From: [EMAIL PROTECTED]
>
[mailto:[EMAIL PROTECTED]
]
> On Behalf Of Prashanth Adiyodi
> Sent: Wednesday, October 01, 2008 7:42 AM
> To: samba@lists.samba.org
> Subject: [Samba] Samba authentication using ADS
> 
> Greetings
> 
> 
> 
> I need help in setting up my linux box with ADS authentication on
Samba.
> I know that it can be done using winbind and Kerberos. I tried some of
> the online methods but I am not able to get a result.
> 
> 
> 
> Request you to please help me with this.
> 
> 
> 
> These are the steps I followed to setup winbind
> 
> 
> 
> * Using Authconfig command I put in the relavant details like "Use
> Winbind" and Use "Winbind Authentication" and left "Cache
Information",
> "Use MD5 Passwords" and "Use Shadow Passwords" selected
> * Then I put details about the domain with authentication.
> 
> 
> 
> * I placed entries in /etc/nssswitch as
> 
> passwd: files winbind
> 
> shadow: files winbind
> 
> group:  files winbind
> 
> 
> 
> 
> 
> This is the output I get
> 
> 
> 
> [2008/10/01 18:27:56, 0] libads/kerberos.c:ads_kinit_password(146)
> 
>   kerberos_kinit_password [EMAIL PROTECTED] failed: Cannot
find
> KDC for requested realm
> 
> [2008/10/01 18:27:56, 0] utils/net_ads.c:ads_startup(186)
> 
>   ads_connect: Cannot find KDC for requested realm
> 
> [2008/10/01 18:27:56, 0]
rpc_client/cli_pipe.c:cli_nt_session_open(1451)
> 
>   cli_nt_session_open: cli_nt_create failed on pipe \lsarpc to machine
> ads.example.com.  Error was NT_STATUS_ACCESS_DENIED
> 
> could not initialise lsa pipe
> 
> could not obtain sid for domain
> 
> 
> 
> Shutting down Winbind services:[FAILED]
> 
> Starting Winbind services: [  OK  ]
> 
> 
> 
> Please help me as to what is going wrong. Appreciate if any members
> could help me out in configuring using Kerberos. Here also I edited
the
> krb5.conf, krb.conf and krb.realm with the correct parameters but stll
> am not able to get a solution.
> 
> 
> 
> Thanking you
> 
> 
> 
> Prashanth Adiyodi
> System Administrator
> 
> 
> Roamware (I) Pvt. Ltd.
> 7th Floor, Sigma, Hiranandani Gardens
> Technology Street, Powai,
> Mumbai-400 076
> Tel: 40406000 Ext: 6124
> GSM: 91-9833377712
> 
> www.roamware.com <http://www.roamware.com>
> "The information contained herein may include confidential or
privileged
> information and is intended solely for the recipient(s) noted above.
If
> you receive this e-mail in error, please respond to the sender and
> delete the e-mail. Any dissemination of this e-mail or the information
> contained in this e-mail or attachments to unintended parties is
> prohibited."
> 
> 
> 
> 
> 
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/listinfo/samba
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

[Samba] Samba authentication using ADS

[Prashanth Adiyodi]

Greetings

 

I need help in setting up my linux box with ADS authentication on Samba.
I know that it can be done using winbind and Kerberos. I tried some of
the online methods but I am not able to get a result.

 

Request you to please help me with this.

 

These are the steps I followed to setup winbind

 

*   Using Authconfig command I put in the relavant details like "Use
Winbind" and Use "Winbind Authentication" and left "Cache Information",
"Use MD5 Passwords" and "Use Shadow Passwords" selected
*   Then I put details about the domain with authentication.

 

*   I placed entries in /etc/nssswitch as 

passwd: files winbind

shadow: files winbind

group:  files winbind

 

 

This is the output I get 

 

[2008/10/01 18:27:56, 0] libads/kerberos.c:ads_kinit_password(146)

  kerberos_kinit_password [EMAIL PROTECTED] failed: Cannot find
KDC for requested realm

[2008/10/01 18:27:56, 0] utils/net_ads.c:ads_startup(186)

  ads_connect: Cannot find KDC for requested realm

[2008/10/01 18:27:56, 0] rpc_client/cli_pipe.c:cli_nt_session_open(1451)

  cli_nt_session_open: cli_nt_create failed on pipe \lsarpc to machine
ads.example.com.  Error was NT_STATUS_ACCESS_DENIED

could not initialise lsa pipe

could not obtain sid for domain

 

Shutting down Winbind services:[FAILED]

Starting Winbind services: [  OK  ]

 

Please help me as to what is going wrong. Appreciate if any members
could help me out in configuring using Kerberos. Here also I edited the
krb5.conf, krb.conf and krb.realm with the correct parameters but stll
am not able to get a solution.

 

Thanking you 

 

Prashanth Adiyodi
System Administrator


Roamware (I) Pvt. Ltd.
7th Floor, Sigma, Hiranandani Gardens
Technology Street, Powai, 
Mumbai-400 076
Tel: 40406000 Ext: 6124
GSM: 91-9833377712

www.roamware.com  
"The information contained herein may include confidential or privileged
information and is intended solely for the recipient(s) noted above. If
you receive this e-mail in error, please respond to the sender and
delete the e-mail. Any dissemination of this e-mail or the information
contained in this e-mail or attachments to unintended parties is
prohibited."

 

 

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

Re: [Samba] Samba authentication to AD server

[Jeremy Allison]

On Wed, Jul 16, 2008 at 10:28:49PM +0200, Volker Lendecke wrote:
> 
> Sorry, that's wrong. The only thing that native mode
> prevents is a NT4 BDC, so old-style "net rpc vampire" won't
> work anymore. Trusts should work. If they don't, please file
> a bug.

Ah, thanks Volker. Thanks for the correction ! It's been
a while since I had to set this up in production :-).

Jeremy.
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

Re: [Samba] Samba authentication to AD server

[Volker Lendecke]

On Wed, Jul 16, 2008 at 01:19:17PM -0700, Jeremy Allison wrote:
> On Wed, Jul 16, 2008 at 12:59:36PM -0400, Gman wrote:
> > Greetings all;
> > 
> > I currently have a task to put together a SAMBA (3.2) server that can
> > authenticate users to our local AD server. I was told recently that in
> > order for that to happen, the authentication needs to be in "mixed"
> > mode vice "native" (whatever that means), or it won't work. Can
> > someone a bit more knowledgable than I confirm or deny this statement,
> > or point me at documents that explain the difference? Thanks in
> > advance.
> 
> If the Samba server is merely a member of the AD domain,
> then no, you don't need to have the AD domain in mixed
> mode. It will work just fine with native mode.
> 
> If the Samba server is a PDC and you need it to have
> trusts with the AD domain, then yes, the AD domain must
> be in mixed mode.

Sorry, that's wrong. The only thing that native mode
prevents is a NT4 BDC, so old-style "net rpc vampire" won't
work anymore. Trusts should work. If they don't, please file
a bug.

Volker


pgp72mXIdcKB4.pgp
Description: PGP signature
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

Re: [Samba] Samba authentication to AD server

[Jeremy Allison]

On Wed, Jul 16, 2008 at 12:59:36PM -0400, Gman wrote:
> Greetings all;
> 
> I currently have a task to put together a SAMBA (3.2) server that can
> authenticate users to our local AD server. I was told recently that in
> order for that to happen, the authentication needs to be in "mixed"
> mode vice "native" (whatever that means), or it won't work. Can
> someone a bit more knowledgable than I confirm or deny this statement,
> or point me at documents that explain the difference? Thanks in
> advance.

If the Samba server is merely a member of the AD domain,
then no, you don't need to have the AD domain in mixed
mode. It will work just fine with native mode.

If the Samba server is a PDC and you need it to have
trusts with the AD domain, then yes, the AD domain must
be in mixed mode.

Hope that helps,

Jeremy.
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

[Samba] Samba authentication to AD server

[Gman]

Greetings all;

I currently have a task to put together a SAMBA (3.2) server that can
authenticate users to our local AD server. I was told recently that in
order for that to happen, the authentication needs to be in "mixed"
mode vice "native" (whatever that means), or it won't work. Can
someone a bit more knowledgable than I confirm or deny this statement,
or point me at documents that explain the difference? Thanks in
advance.

George
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

Re: [Samba] samba authentication awfully slow

[Ryan Novosielski]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Henning Evers wrote:
> Hey there everybody.
> 
> I am new to the list, so bear with me if make mistakes :)
> 
> I updated my Server from FC7 to FC9 and with it came Samba
> 3.2.0pre3-9.fc9 (heaven knows why it had to be a pre version).
> 
> I reused my old config and noticed that displaying all hosts in my
> workgroup as well as authentication went from normal to awfully slow.
> Once the connection is established it is bearable, though ropy.
> 
>   smbclient -L samsara //from an Ubuntu 8.04 in the same network
>   smbclient -L localhost //from the server itself
> 
> results in:
> Receiving SMB: Server stopped responding
> session setup failed: Call timed out: server did not respond after 2
> milliseconds
> 
> I have been reading a lot about it, i found others with the same
> problems, but i have not found a solution. I am so out of ideas here...
> 
> I hope someone just says "easy dude - its only ..." 
> 
> Thanks in advance,
> Henning
> 
> p.s.: Here's my testconfig, for what its worth it...
> 
> [global]
> workgroup = SKYNET
> security = USER
> smb passwd file = /etc/samba/smbpasswd
> private dir = /etc/samba
> 
> [Plans]
> path = /export/samba
> read only = Yes
> guest ok = Yes

It does not sound like this could be the cause of the problem, based on
the fact that it just suddenly showed up on an update, but how many
lines are in your smbpasswd file? It may be that you'll see substantial
speed gains regardless moving that file to tdbsam, which is easily done
with pdbedit -i and -e.

HTH,
- --
  _  _ _  _ ___  _  _  _
 |Y#| |  | |\/| |  \ |\ |  | |Ryan Novosielski - Systems Programmer II
 |$&| |__| |  | |__/ | \| _| |[EMAIL PROTECTED] - 973/972.0922 (2-0922)
 \__/ Univ. of Med. and Dent.|IST/AST - NJMS Medical Science Bldg - C630
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.6 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFINw6Xmb+gadEcsb4RAi9QAKCUZiDoiQGKKlEpNVZR+sHpBaBmEQCfUftZ
30BeqZqvjB9F6hVgADJppng=
=ljNO
-END PGP SIGNATURE-
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

[Samba] samba authentication awfully slow

[Henning Evers]

Hey there everybody.

I am new to the list, so bear with me if make mistakes :)

I updated my Server from FC7 to FC9 and with it came Samba
3.2.0pre3-9.fc9 (heaven knows why it had to be a pre version).

I reused my old config and noticed that displaying all hosts in my
workgroup as well as authentication went from normal to awfully slow.
Once the connection is established it is bearable, though ropy.

smbclient -L samsara //from an Ubuntu 8.04 in the same network
smbclient -L localhost //from the server itself

results in:
Receiving SMB: Server stopped responding
session setup failed: Call timed out: server did not respond after 2
milliseconds

I have been reading a lot about it, i found others with the same
problems, but i have not found a solution. I am so out of ideas here...

I hope someone just says "easy dude - its only ..." 

Thanks in advance,
Henning

p.s.: Here's my testconfig, for what its worth it...

[global]
workgroup = SKYNET
security = USER
smb passwd file = /etc/samba/smbpasswd
private dir = /etc/samba

[Plans]
path = /export/samba
read only = Yes
guest ok = Yes


-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

Re: [Samba] Samba authentication to Kerberos via OpenLDAP, third and last try

[Wes Deviers]

On Thu 3 Apr  2008 5:00:36 pm Wes Modes wrote:
> Volker Lendecke wrote:
> > On Thu, Apr 03, 2008 at 01:34:30PM -0700, Wes Modes wrote:
> >> The question and the challenge:  Any leads on how I might convince Samba
> >> to pass the input password on to OpenLDAP so that OpenLDAP can
> >> authenticate it against Kerberos?
> >
> > The only chance is that you modify each client's registry to
> > send plain text passwords to the server over the network,
> > downgrading your security to what telnet provided ages ago.
> > You can guess that this is ABSOLUTELY NOT recommended. If
> > you go with standard Windows authentication schemes, the
> > SMB server never sees the user's plain text password which
> > would be required to authenticate against Kerberos.
> >
> > Volker
>
> Yeah, I'm not so keen on sending plaintext passwords anywhere.
>
> It is already moderately-well documented how to connect Samba up to use
> Kerberos authentication.  And my guess is that the Kerberos model would
> not allow passwords to be sent plaintext.  More likely an encrypted hash
> gets passed?  I don't know the precise mechanism, but would like to.
>
> But beyond that, how could one use Samba to pass that encrypted password
> to LDAP to pass on to Kerberos to authenticate?
>

Note: this is from my experience and research, both of which are extensive but 
probably wrong.  I wanted to do a similar thing (poor-man's SSO).

I believe the problem is twofold:

1) The client never actually sends the password.  By default, it sends a 
response to a challenge from the server; the response is based on the 
password.  So the password, in any form, never traverses the network unless 
you explicitly turn on that compatibility model.  Samba can't forward what it 
doesn't have.

2) Using LDAP for authentication is...a hack, to put it bluntly.  Everybody 
does it, but we probably shouldn't.  The problem is that in either 
authentication scenario (bind against LDAP = Good! or query the tree for 
user/pw/group/etc) would require modifications to the LDAP server.  It could 
accept the password, request a certificate and then store the token and 
return the "Correct" answer if the token is good and intentionally return 
an "incorrect" answer if the Kerb auth fails.

Since you can't send passwords in plaintext for obvious reasons, a simple or 
complex way to do this escapes me.  

I assume that you're not doing domain logins.  You could write a web interface 
or quick Java craplet (or a keylogger...) that takes a login from the user 
and captures their password.  Then you can feed that to a process on the LDAP 
server which authenticates against kerberos; if the authentication succeeds, 
you dump the hashed/crypted version of the password into the LDAP directory 
for authentication use later.  

Convoluted, but you could make it work.

Wes



-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

Re: [Samba] Samba authentication to Kerberos via OpenLDAP, third and last try

[Volker Lendecke]

On Thu, Apr 03, 2008 at 02:00:36PM -0700, Wes Modes wrote:
> It is already moderately-well documented how to connect Samba up to use 
> Kerberos authentication.  And my guess is that the Kerberos model would 
> not allow passwords to be sent plaintext.  More likely an encrypted hash 
> gets passed?  I don't know the precise mechanism, but would like to.

http://davenport.sourceforge.net/ntlm.html

Enjoy.

Volker


pgpHv41tjZXZt.pgp
Description: PGP signature
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

Re: [Samba] Samba authentication to Kerberos via OpenLDAP, third and last try

[Wes Modes]

Volker Lendecke wrote:

On Thu, Apr 03, 2008 at 01:34:30PM -0700, Wes Modes wrote:
  
The question and the challenge:  Any leads on how I might convince Samba 
to pass the input password on to OpenLDAP so that OpenLDAP can 
authenticate it against Kerberos?



The only chance is that you modify each client's registry to
send plain text passwords to the server over the network,
downgrading your security to what telnet provided ages ago.
You can guess that this is ABSOLUTELY NOT recommended. If
you go with standard Windows authentication schemes, the
SMB server never sees the user's plain text password which
would be required to authenticate against Kerberos.

Volker
  
Yeah, I'm not so keen on sending plaintext passwords anywhere. 

It is already moderately-well documented how to connect Samba up to use 
Kerberos authentication.  And my guess is that the Kerberos model would 
not allow passwords to be sent plaintext.  More likely an encrypted hash 
gets passed?  I don't know the precise mechanism, but would like to.


But beyond that, how could one use Samba to pass that encrypted password 
to LDAP to pass on to Kerberos to authenticate?


W.

--

Wes Modes
Server Administrator & Programmer Analyst
McHenry Library
Computing & Network Services
Information and Technology Services
459-5208
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

Re: [Samba] Samba authentication to Kerberos via OpenLDAP, third and last try

[Volker Lendecke]

On Thu, Apr 03, 2008 at 01:34:30PM -0700, Wes Modes wrote:
> The question and the challenge:  Any leads on how I might convince Samba 
> to pass the input password on to OpenLDAP so that OpenLDAP can 
> authenticate it against Kerberos?

The only chance is that you modify each client's registry to
send plain text passwords to the server over the network,
downgrading your security to what telnet provided ages ago.
You can guess that this is ABSOLUTELY NOT recommended. If
you go with standard Windows authentication schemes, the
SMB server never sees the user's plain text password which
would be required to authenticate against Kerberos.

Volker


pgpSq2xFwlWvo.pgp
Description: PGP signature
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

[Samba] Samba authentication to Kerberos via OpenLDAP, third and last try

[Wes Modes]

So far answers I've received on this list have been inconsistent at best 
and downright inaccurate at worst.  I'm going to try one more time and 
see if, at the very least, someone can give me a lead.  I ask you to 
consider what I'm asking remotely possible, and then seek a solution.  
(Particularly before one blasts off an ill-thought out message that says 
simple, "Can't be done," simple because you've never done it or haven't 
heard of it being done.)  So consider this a challenge or a riddle.


  1. I have an OpenLDAP directory server that I am using for user and
 group information.  I would like to use it also to authenticate
 against.  This way, whatever I hook up to it (Samba, webstuff, PHP
 apps, CMS) can both authenticate and authorize from one source. 
  2. There is a separate Kerberos server that has users' campus-wide

 passwords.  I have access to it, but do not control it.
  3. I have a separate linux file server running Samba.  PCs and Macs
 will connect to it. 

I know I can do Kerberos authentication directly from Samba, but I'd 
prefer OpenLDAP do the Kerberos connection.  Here's why:  a) I can solve 
the problem once, rather than have to work out BOTH LDAP and Kerberos 
connections for every new authenticated service I add, and b) LDAP hooks 
are more common than Kerberos hooks for other services for which I will 
eventually want authentication and authroization.  And yes, I know it 
breaks the Kerberos model.


The question and the challenge:  Any leads on how I might convince Samba 
to pass the input password on to OpenLDAP so that OpenLDAP can 
authenticate it against Kerberos?


Wes

--

Wes Modes
Server Administrator & Programmer Analyst
McHenry Library
Computing & Network Services
Information and Technology Services
459-5208
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

Re: Re: [Samba] SAMBA authentication ?

[czezz]

That's it!
public need to be set as "no"

Thanks for your help.



 Wiadomość Oryginalna 
Od: Sadique Puthen <[EMAIL PROTECTED]>
Do: czezz <[EMAIL PROTECTED]>
Kopia do: John Drescher <[EMAIL PROTECTED]>, samba@lists.samba.org
Data: 4 lutego 2008 12:38
Temat: Re: [Samba] SAMBA authentication ?

> czezz wrote:
> > smb.conf attached.
> >
> > security is set to SHARE. Otherwise I will not be able to have /pub which 
> > is accessable for everyone.
> >   
> 
>  From man smb.conf
> 
>  public
>   This parameter is a synonym for guest ok.
> 
>guest ok (S)
>   If this parameter is yes for a service, then no password is 
> required to connect to the service. Privileges will  be  those  of  the
>   guest account.
> 
>   This paramater nullifies the benifits of setting restrict 
> anonymous = 2
> 
>   See the section below on security for more information about 
> this option.
> 
>   Default: guest ok = no
> 
> So as long as you set "public = Yes" for share /pub2,  you wouldn't be 
> prompted for a username and password.
> 
> The other option is to use "security = user" and set "map to guest" 
> parameter for /pub share.
> 
> --Sadique
> 
> > Thanks,
> > Czezz
> >
> >
> >  Wiadomość Oryginalna 
> > Od: Sadique Puthen <[EMAIL PROTECTED]>
> > Do: czezz <[EMAIL PROTECTED]>
> > Kopia do: John Drescher <[EMAIL PROTECTED]>, samba@lists.samba.org
> > Data: 4 lutego 2008 8:37
> > Temat: Re: [Samba] SAMBA authentication ?
> >
> >   
> >> czezz wrote:
> >> 
> >>>  Wiadomość Oryginalna 
> >>> Od: "John Drescher" <[EMAIL PROTECTED]>
> >>> Do: czezz <[EMAIL PROTECTED]>
> >>> Kopia do: samba@lists.samba.org
> >>> Data: 3 lutego 2008 19:59
> >>> Temat: Re: [Samba] SAMBA authentication ?
> >>>
> >>>   
> >>>   
> >>>> On Feb 3, 2008 11:38 AM, czezz <[EMAIL PROTECTED]> wrote:
> >>>> 
> >>>> 
> >>>>> I have set up samba and configured resources /pub for "pcguest" account 
> >>>>> and it works perfect (read/write access for for everyone. No 
> >>>>> authentication is needed)
> >>>>>
> >>>>> Now, I want to set new resource called /pub2 where access is limited 
> >>>>> only for user "userx".
> >>>>>
> >>>>> What I did:
> >>>>> I created userx in /etc/passwd and his home dir in /pub2
> >>>>> I created userx using "smbpasswd"
> >>>>> Both users has this same passwd.
> >>>>>
> >>>>> In /etc/samba/smb.conf added:
> >>>>>
> >>>>> [pub2]
> >>>>> path = /pub2
> >>>>> volume = userx
> >>>>> comment = Programy userx
> >>>>> public = yes
> >>>>> writable = yes
> >>>>> share modes = yes
> >>>>> read only = no
> >>>>> create mode = 0775
> >>>>> directory mode = 0775
> >>>>> oplocks = True
> >>>>> level2 oplocks = True
> >>>>>
> >>>>> After SAMBA restart:
> >>>>> sitting on WindowsXP box I am able to see /pub and /pub2 resources. I 
> >>>>> can even browse /pub2 but I am unable to create any file or dir.
> >>>>> This is expected behavior... but why the heck I cant have way to log on 
> >>>>> to user "userx" account ?
> >>>>>
> >>>>>   
> >>>>>   
> >>>> Did you check the unix permissions of the folder you are sharing? Does
> >>>> userx have rw permissions?
> >>>>
> >>>> John
> >>>> 
> >>>> 
> >>>
> >>> Ammm... John, whats the point of unix permissions? I can browse content 
> >>> of /pub2 from any workstation on LAN.
> >>> The problem is that when I click on PUB2 resources I should get window to 
> >>> put login and password - why I dont have it ?
> >>>   
> >>>   
> >> Are you using security=share or user? Please post your smb.conf without 
> >> comments.
> >>
> >> --Sadique
> >>
> >> 
> >>> here is "ls"
> >>> [EMAIL PROTECTED]:~# ls -l /home/
> >>> drwxr-xr-x 3 pcguest pcguest  4096 2008-01-30 21:30 pub/
> >>> drwxr-xr-x 4 userx   users4096 2008-02-02 18:33 pub2/
> >>>
> >>> What is important !!!
> >>> Windows Workstations from witch I try to login hasnt account "userx".
> >>> The Windows enviroment is only workgroup. And each station has its own 
> >>> login.
> >>> Each time someone want to access /pub2 then window asking for login and 
> >>> passwd should apear.
> >>>
> >>>
> >>>   
> >>>   
> 

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

Re: [Samba] SAMBA authentication ?

[Sadique Puthen]

Charles Marcus wrote:

Please post your smb.conf without comments.


Is there a command to generate this output?

#testparm -s > /tmp/smb.conf

Attach the /tmp/smb.conf.

--Sadique

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

Re: [Samba] SAMBA authentication ?

[Brian High]

John Drescher wrote:
> On Feb 4, 2008 5:48 PM, Charles Marcus <[EMAIL PROTECTED]> wrote:
>>> Please post your smb.conf without comments.
>> Is there a command to generate this output?
>>
> There probably is a better way but this is the first thing I can think of:
> 
> grep -v ^# /etc/samba/smb.conf
> 
> John

This works pretty well:

  testparm -s

... as it is formatted in a readable way, even if the smb.conf is messy.


Or you can do it this way:

  grep -v '^[ \t]*[#;]\|^[ \t]*$' /etc/samba/smb.conf

... so you also remove blank lines as well as comments (both # and ;),
even with leading whitespace.


-- 
Brian High
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

Re: [Samba] SAMBA authentication ?

[John Drescher]

On Feb 4, 2008 5:48 PM, Charles Marcus <[EMAIL PROTECTED]> wrote:
> > Please post your smb.conf without comments.
>
> Is there a command to generate this output?
>
There probably is a better way but this is the first thing I can think of:

grep -v ^# /etc/samba/smb.conf

John
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

Re: [Samba] SAMBA authentication ?

[Charles Marcus]

Please post your smb.conf without comments.


Is there a command to generate this output?

--

Best regards,

Charles
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

Re: [Samba] SAMBA authentication ?

[Sadique Puthen]

czezz wrote:

smb.conf attached.

security is set to SHARE. Otherwise I will not be able to have /pub which is 
accessable for everyone.
  


From man smb.conf

public
 This parameter is a synonym for guest ok.

  guest ok (S)
 If this parameter is yes for a service, then no password is 
required to connect to the service. Privileges will  be  those  of  the

 guest account.

 This paramater nullifies the benifits of setting restrict 
anonymous = 2


 See the section below on security for more information about 
this option.


 Default: guest ok = no

So as long as you set "public = Yes" for share /pub2,  you wouldn't be 
prompted for a username and password.


The other option is to use "security = user" and set "map to guest" 
parameter for /pub share.


--Sadique


Thanks,
Czezz


 Wiadomość Oryginalna 
Od: Sadique Puthen <[EMAIL PROTECTED]>
Do: czezz <[EMAIL PROTECTED]>
Kopia do: John Drescher <[EMAIL PROTECTED]>, samba@lists.samba.org
Data: 4 lutego 2008 8:37
Temat: Re: [Samba] SAMBA authentication ?

  

czezz wrote:


 Wiadomość Oryginalna 
Od: "John Drescher" <[EMAIL PROTECTED]>
Do: czezz <[EMAIL PROTECTED]>
Kopia do: samba@lists.samba.org
Data: 3 lutego 2008 19:59
Temat: Re: [Samba] SAMBA authentication ?

  
  

On Feb 3, 2008 11:38 AM, czezz <[EMAIL PROTECTED]> wrote:



I have set up samba and configured resources /pub for "pcguest" account and it 
works perfect (read/write access for for everyone. No authentication is needed)

Now, I want to set new resource called /pub2 where access is limited only for user 
"userx".

What I did:
I created userx in /etc/passwd and his home dir in /pub2
I created userx using "smbpasswd"
Both users has this same passwd.

In /etc/samba/smb.conf added:

[pub2]
path = /pub2
volume = userx
comment = Programy userx
public = yes
writable = yes
share modes = yes
read only = no
create mode = 0775
directory mode = 0775
oplocks = True
level2 oplocks = True

After SAMBA restart:
sitting on WindowsXP box I am able to see /pub and /pub2 resources. I can even 
browse /pub2 but I am unable to create any file or dir.
This is expected behavior... but why the heck I cant have way to log on to user 
"userx" account ?

  
  

Did you check the unix permissions of the folder you are sharing? Does
userx have rw permissions?

John




Ammm... John, whats the point of unix permissions? I can browse content of 
/pub2 from any workstation on LAN.
The problem is that when I click on PUB2 resources I should get window to put 
login and password - why I dont have it ?
  
  
Are you using security=share or user? Please post your smb.conf without 
comments.


--Sadique



here is "ls"
[EMAIL PROTECTED]:~# ls -l /home/
drwxr-xr-x 3 pcguest pcguest  4096 2008-01-30 21:30 pub/
drwxr-xr-x 4 userx   users4096 2008-02-02 18:33 pub2/

What is important !!!
Windows Workstations from witch I try to login hasnt account "userx".
The Windows enviroment is only workgroup. And each station has its own login.
Each time someone want to access /pub2 then window asking for login and passwd 
should apear.


  
  


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

Re: Re: [Samba] SAMBA authentication ?

[czezz]

smb.conf attached.

security is set to SHARE. Otherwise I will not be able to have /pub which is 
accessable for everyone.

Thanks,
Czezz


 Wiadomość Oryginalna 
Od: Sadique Puthen <[EMAIL PROTECTED]>
Do: czezz <[EMAIL PROTECTED]>
Kopia do: John Drescher <[EMAIL PROTECTED]>, samba@lists.samba.org
Data: 4 lutego 2008 8:37
Temat: Re: [Samba] SAMBA authentication ?

> czezz wrote:
> >  Wiadomość Oryginalna 
> > Od: "John Drescher" <[EMAIL PROTECTED]>
> > Do: czezz <[EMAIL PROTECTED]>
> > Kopia do: samba@lists.samba.org
> > Data: 3 lutego 2008 19:59
> > Temat: Re: [Samba] SAMBA authentication ?
> >
> >   
> >> On Feb 3, 2008 11:38 AM, czezz <[EMAIL PROTECTED]> wrote:
> >> 
> >>> I have set up samba and configured resources /pub for "pcguest" account 
> >>> and it works perfect (read/write access for for everyone. No 
> >>> authentication is needed)
> >>>
> >>> Now, I want to set new resource called /pub2 where access is limited only 
> >>> for user "userx".
> >>>
> >>> What I did:
> >>> I created userx in /etc/passwd and his home dir in /pub2
> >>> I created userx using "smbpasswd"
> >>> Both users has this same passwd.
> >>>
> >>> In /etc/samba/smb.conf added:
> >>>
> >>> [pub2]
> >>> path = /pub2
> >>> volume = userx
> >>> comment = Programy userx
> >>> public = yes
> >>> writable = yes
> >>> share modes = yes
> >>> read only = no
> >>> create mode = 0775
> >>> directory mode = 0775
> >>> oplocks = True
> >>> level2 oplocks = True
> >>>
> >>> After SAMBA restart:
> >>> sitting on WindowsXP box I am able to see /pub and /pub2 resources. I can 
> >>> even browse /pub2 but I am unable to create any file or dir.
> >>> This is expected behavior... but why the heck I cant have way to log on 
> >>> to user "userx" account ?
> >>>
> >>>   
> >> Did you check the unix permissions of the folder you are sharing? Does
> >> userx have rw permissions?
> >>
> >> John
> >> 
> >
> >
> >
> > Ammm... John, whats the point of unix permissions? I can browse content of 
> > /pub2 from any workstation on LAN.
> > The problem is that when I click on PUB2 resources I should get window to 
> > put login and password - why I dont have it ?
> >   
> 
> Are you using security=share or user? Please post your smb.conf without 
> comments.
> 
> --Sadique
> 
> > here is "ls"
> > [EMAIL PROTECTED]:~# ls -l /home/
> > drwxr-xr-x 3 pcguest pcguest  4096 2008-01-30 21:30 pub/
> > drwxr-xr-x 4 userx   users4096 2008-02-02 18:33 pub2/
> >
> > What is important !!!
> > Windows Workstations from witch I try to login hasnt account "userx".
> > The Windows enviroment is only workgroup. And each station has its own 
> > login.
> > Each time someone want to access /pub2 then window asking for login and 
> > passwd should apear.
> >
> >
> >   
> 
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

Re: [Samba] SAMBA authentication ?

[Sadique Puthen]

czezz wrote:

 Wiadomość Oryginalna 
Od: "John Drescher" <[EMAIL PROTECTED]>
Do: czezz <[EMAIL PROTECTED]>
Kopia do: samba@lists.samba.org
Data: 3 lutego 2008 19:59
Temat: Re: [Samba] SAMBA authentication ?

  

On Feb 3, 2008 11:38 AM, czezz <[EMAIL PROTECTED]> wrote:


I have set up samba and configured resources /pub for "pcguest" account and it 
works perfect (read/write access for for everyone. No authentication is needed)

Now, I want to set new resource called /pub2 where access is limited only for user 
"userx".

What I did:
I created userx in /etc/passwd and his home dir in /pub2
I created userx using "smbpasswd"
Both users has this same passwd.

In /etc/samba/smb.conf added:

[pub2]
path = /pub2
volume = userx
comment = Programy userx
public = yes
writable = yes
share modes = yes
read only = no
create mode = 0775
directory mode = 0775
oplocks = True
level2 oplocks = True

After SAMBA restart:
sitting on WindowsXP box I am able to see /pub and /pub2 resources. I can even 
browse /pub2 but I am unable to create any file or dir.
This is expected behavior... but why the heck I cant have way to log on to user 
"userx" account ?

  

Did you check the unix permissions of the folder you are sharing? Does
userx have rw permissions?

John





Ammm... John, whats the point of unix permissions? I can browse content of 
/pub2 from any workstation on LAN.
The problem is that when I click on PUB2 resources I should get window to put 
login and password - why I dont have it ?
  


Are you using security=share or user? Please post your smb.conf without 
comments.


--Sadique


here is "ls"
[EMAIL PROTECTED]:~# ls -l /home/
drwxr-xr-x 3 pcguest pcguest  4096 2008-01-30 21:30 pub/
drwxr-xr-x 4 userx   users4096 2008-02-02 18:33 pub2/

What is important !!!
Windows Workstations from witch I try to login hasnt account "userx".
The Windows enviroment is only workgroup. And each station has its own login.
Each time someone want to access /pub2 then window asking for login and passwd 
should apear.


  


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

Re: Re: [Samba] SAMBA authentication ?

[John Drescher]

> Ammm... John, whats the point of unix permissions?
If the unix user has no access to the share on the unix filesystem.
Samba will not have any access either.

> I can browse content of /pub2 from any workstation on LAN.
> The problem is that when I click on PUB2 resources I should get window to put 
> login and password - why I dont have it ?
>
> here is "ls"
> [EMAIL PROTECTED]:~# ls -l /home/
> drwxr-xr-x 3 pcguest pcguest  4096 2008-01-30 21:30 pub/
> drwxr-xr-x 4 userx   users4096 2008-02-02 18:33 pub2/
>
This looks fine.

> What is important !!!
> Windows Workstations from witch I try to login hasnt account "userx".
> The Windows enviroment is only workgroup. And each station has its own login.
> Each time someone want to access /pub2 then window asking for login and 
> passwd should apear.
>
Can you post your smb.conf?

John
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

Re: Re: [Samba] SAMBA authentication ?

[czezz]

 Wiadomość Oryginalna 
Od: "John Drescher" <[EMAIL PROTECTED]>
Do: czezz <[EMAIL PROTECTED]>
Kopia do: samba@lists.samba.org
Data: 3 lutego 2008 19:59
Temat: Re: [Samba] SAMBA authentication ?

> On Feb 3, 2008 11:38 AM, czezz <[EMAIL PROTECTED]> wrote:
> > I have set up samba and configured resources /pub for "pcguest" account and 
> > it works perfect (read/write access for for everyone. No authentication is 
> > needed)
> >
> > Now, I want to set new resource called /pub2 where access is limited only 
> > for user "userx".
> >
> > What I did:
> > I created userx in /etc/passwd and his home dir in /pub2
> > I created userx using "smbpasswd"
> > Both users has this same passwd.
> >
> > In /etc/samba/smb.conf added:
> >
> > [pub2]
> > path = /pub2
> > volume = userx
> > comment = Programy userx
> > public = yes
> > writable = yes
> > share modes = yes
> > read only = no
> > create mode = 0775
> > directory mode = 0775
> > oplocks = True
> > level2 oplocks = True
> >
> > After SAMBA restart:
> > sitting on WindowsXP box I am able to see /pub and /pub2 resources. I can 
> > even browse /pub2 but I am unable to create any file or dir.
> > This is expected behavior... but why the heck I cant have way to log on to 
> > user "userx" account ?
> >
> Did you check the unix permissions of the folder you are sharing? Does
> userx have rw permissions?
> 
> John



Ammm... John, whats the point of unix permissions? I can browse content of 
/pub2 from any workstation on LAN.
The problem is that when I click on PUB2 resources I should get window to put 
login and password - why I dont have it ?

here is "ls"
[EMAIL PROTECTED]:~# ls -l /home/
drwxr-xr-x 3 pcguest pcguest  4096 2008-01-30 21:30 pub/
drwxr-xr-x 4 userx   users4096 2008-02-02 18:33 pub2/

What is important !!!
Windows Workstations from witch I try to login hasnt account "userx".
The Windows enviroment is only workgroup. And each station has its own login.
Each time someone want to access /pub2 then window asking for login and passwd 
should apear.


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

Re: [Samba] SAMBA authentication ?

[John Drescher]

On Feb 3, 2008 11:38 AM, czezz <[EMAIL PROTECTED]> wrote:
> I have set up samba and configured resources /pub for "pcguest" account and 
> it works perfect (read/write access for for everyone. No authentication is 
> needed)
>
> Now, I want to set new resource called /pub2 where access is limited only for 
> user "userx".
>
> What I did:
> I created userx in /etc/passwd and his home dir in /pub2
> I created userx using "smbpasswd"
> Both users has this same passwd.
>
> In /etc/samba/smb.conf added:
>
> [pub2]
> path = /pub2
> volume = userx
> comment = Programy userx
> public = yes
> writable = yes
> share modes = yes
> read only = no
> create mode = 0775
> directory mode = 0775
> oplocks = True
> level2 oplocks = True
>
> After SAMBA restart:
> sitting on WindowsXP box I am able to see /pub and /pub2 resources. I can 
> even browse /pub2 but I am unable to create any file or dir.
> This is expected behavior... but why the heck I cant have way to log on to 
> user "userx" account ?
>
Did you check the unix permissions of the folder you are sharing? Does
userx have rw permissions?

John
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

[Samba] SAMBA authentication ?

[czezz]

I have set up samba and configured resources /pub for "pcguest" account and it 
works perfect (read/write access for for everyone. No authentication is needed)

Now, I want to set new resource called /pub2 where access is limited only for 
user "userx".

What I did:
I created userx in /etc/passwd and his home dir in /pub2
I created userx using "smbpasswd"
Both users has this same passwd.

In /etc/samba/smb.conf added:

[pub2]
path = /pub2
volume = userx
comment = Programy userx
public = yes
writable = yes
share modes = yes
read only = no
create mode = 0775
directory mode = 0775
oplocks = True
level2 oplocks = True

After SAMBA restart:
sitting on WindowsXP box I am able to see /pub and /pub2 resources. I can even 
browse /pub2 but I am unable to create any file or dir.
This is expected behavior... but why the heck I cant have way to log on to user 
"userx" account ?

How it works ? What am I doin wrong ?


Used:
Slackware 12, Samba 3.0.25b (from package).

Thanks for any help,
Czezz
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

[Samba] samba authentication problem, when moved from workgroup to active directory

[GeorgeLazar]

Until recently I had the computers organized in workgroups, without Active
Directory.
Also, we had a Linux server with samba. Some users had disks maped to some
directory on the linux machine.

Now, we migrated the users and computers to an Active Directory Windows
2003. Now they cannot connect to the samba shares.

I don't want the samba server to use the AD to authenticate all linux users. 

thank you
-- 
View this message in context: 
http://www.nabble.com/samba-authentication-problem%2C-when-moved-from-workgroup-to-active-directory-tf4434060.html#a12650017
Sent from the Samba - General mailing list archive at Nabble.com.

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

Re: [Samba] Samba Authentication against Radius server

[Adam Tauno Williams]

> I have my linux system configured to authenticate/authorize (windows XP
> and Vista) users for several services, like PPTP, SMTP and POP3, against
> a radius server (using PAM), and now I want to add support for samba
> authentication also. I was planning to do it by using one tdbsam backend
> (I can not have LDAP for several reasons, unfortunately) but I have some
> doubts:
> Is it possible to authenticate samba users directly against the radius
> server (is there a way to do it)?

You can, but you basically have to break things to do it (enabling clear
text passwords).  You'd configure PAM to authenticate against RADIUS and
configure Samba to use the traditional password database - but don't.  

Reconfigure your RADIUS server to authenticate users via Samba; not the
other way around.

> For tdbsam is there any solution to keep passwords sync with radius
> server?

There is a password sync feature in Samba.  Updating Samba from RADIUS
password changes would be another matter.  But better to reconfigure
your RADIUS server to use Samba for authentication, thus keeping one
password database.

-- 
Adam Tauno Williams, Network & Systems Administrator
Consultant - http://www.whitemiceconsulting.com
Developer - http://www.opengroupware.org

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

[Samba] Samba Authentication against Radius server

[Nelson Vale]

Hello guys,

I have my linux system configured to authenticate/authorize (windows XP
and Vista) users for several services, like PPTP, SMTP and POP3, against
a radius server (using PAM), and now I want to add support for samba
authentication also. I was planning to do it by using one tdbsam backend
(I can not have LDAP for several reasons, unfortunately) but I have some
doubts:

Is it possible to authenticate samba users directly against the radius
server (is there a way to do it)?

For tdbsam is there any solution to keep passwords sync with radius
server?

Tanks


-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

Re: [Samba] Samba authentication slow after upgrade to Samba 3

[Mansell, Gary]

This is really frustrating me - I cannot seem to resolve the problem.

Some users can connect no problem and others take a long time. The users
that take a long time leave lots of entries in the messages file:

Jun  5 13:00:33 dfgsrv2 smbd[9148]: [2007/06/05 13:00:33, 0]
auth/pampass.c:smb_pam_passcheck(810) 
Jun  5 13:00:33 dfgsrv2 smbd[9148]:   smb_pam_passcheck: PAM:
smb_pam_auth failed - Rejecting User rma ! 
Jun  5 13:00:34 dfgsrv2 smbd[10665]: [2007/06/05 13:00:34, 0]
auth/pampass.c:smb_pam_passcheck(810) 
Jun  5 13:00:34 dfgsrv2 smbd[10665]:   smb_pam_passcheck: PAM:
smb_pam_auth failed - Rejecting User amcq ! 
Jun  5 13:00:36 dfgsrv2 smbd[9148]: [2007/06/05 13:00:36, 0]
auth/pampass.c:smb_pam_passcheck(810) 
Jun  5 13:00:36 dfgsrv2 smbd[9148]:   smb_pam_passcheck: PAM:
smb_pam_auth failed - Rejecting User rma ! 
Jun  5 13:00:36 dfgsrv2 smbd[10670]: [2007/06/05 13:00:36, 0]
auth/pampass.c:smb_pam_passcheck(810) 
Jun  5 13:00:36 dfgsrv2 smbd[10670]:   smb_pam_passcheck: PAM:
smb_pam_auth failed - Rejecting User amcq ! 
Jun  5 13:00:38 dfgsrv2 smbd[9148]: [2007/06/05 13:00:38, 0]
auth/pampass.c:smb_pam_passcheck(810) 
Jun  5 13:00:38 dfgsrv2 smbd[9148]:   smb_pam_passcheck: PAM:
smb_pam_auth failed - Rejecting User rma ! 
Jun  5 13:00:38 dfgsrv2 smbd[10671]: [2007/06/05 13:00:38, 0]
auth/pampass.c:smb_pam_passcheck(810) 
Jun  5 13:00:38 dfgsrv2 smbd[10671]:   smb_pam_passcheck: PAM:
smb_pam_auth failed - Rejecting User amcq ! 
Jun  5 13:00:40 dfgsrv2 smbd[9148]: [2007/06/05 13:00:40, 0]
auth/pampass.c:smb_pam_passcheck(810) 
Jun  5 13:00:40 dfgsrv2 smbd[9148]:   smb_pam_passcheck: PAM:
smb_pam_auth failed - Rejecting User rma ! 
Jun  5 13:00:43 dfgsrv2 smbd[9148]: [2007/06/05 13:00:43, 0]
auth/pampass.c:smb_pam_passcheck(810) 
Jun  5 13:00:43 dfgsrv2 smbd[9148]:   smb_pam_passcheck: PAM:
smb_pam_auth failed - Rejecting User rma ! 
Jun  5 13:00:45 dfgsrv2 smbd[9148]: [2007/06/05 13:00:45, 0]
auth/pampass.c:smb_pam_passcheck(810) 
Jun  5 13:00:45 dfgsrv2 smbd[9148]:   smb_pam_passcheck: PAM:
smb_pam_auth failed - Rejecting User rma ! 
Jun  5 13:00:47 dfgsrv2 smbd[9148]: [2007/06/05 13:00:47, 0]
auth/pampass.c:smb_pam_passcheck(810) 
Jun  5 13:00:47 dfgsrv2 smbd[9148]:   smb_pam_passcheck: PAM:
smb_pam_auth failed - Rejecting User rma ! 
Jun  5 13:00:50 dfgsrv2 smbd[9148]: [2007/06/05 13:00:50, 0]
auth/pampass.c:smb_pam_passcheck(810) 
Jun  5 13:00:50 dfgsrv2 smbd[9148]:   smb_pam_passcheck: PAM:
smb_pam_auth failed - Rejecting User rma ! 
Jun  5 13:00:51 dfgsrv2 smbd[10681]: [2007/06/05 13:00:51, 0]
auth/pampass.c:smb_pam_passcheck(810) 
Jun  5 13:00:51 dfgsrv2 smbd[10681]:   smb_pam_passcheck: PAM:
smb_pam_auth failed - Rejecting User amcq ! 



I have upgraded my version of Samba to the latest one for RHEL 4 -
samba-3.0.10-1.4E.12.2

Anyone got any ideas?

On Fri, 2007-06-01 at 08:32 +0100, Mansell, Gary wrote: 

> Hi,
> 
> I have just upgraded a server from Samba 2 to Samba 3 and some of the
> Windows clients are taking a long time to authenticate shares (1 or 2
> minutes). Eventually the username/password box appears and then when you
> enter a correct password, all is fine - it is just the initial
> authentication.
> 
> This is a simple UNIX password Samba server (with NIS) and I have set it
> to not use encrypted passwords.
> 
> I get these errors, repeatedly, in the messages file:
> 
> [2007/06/01 08:29:26, 2] auth/pampass.c:smb_pam_auth(514)
>   smb_pam_auth: PAM: Athentication Error for user mcr3
> [2007/06/01 08:29:26, 2] auth/pampass.c:smb_pam_error_handler(73)
>   smb_pam_error_handler: PAM: Authentication Failure : Authentication
> failure
> [2007/06/01 08:29:26, 0] auth/pampass.c:smb_pam_passcheck(810)
>   smb_pam_passcheck: PAM: smb_pam_auth failed - Rejecting User mcr3 !
> 
> 
> Here is my testparm output:
> 
> # Global parameters
> [global]
> workgroup = DFGSRV
> server string = dfgsrv Samba Server %v
> encrypt passwords = No
> password level = 8
> username level = 8
> log level = 2
> log file = /var/log/samba/%m.log
> max log size = 200
> deadtime = 30
> socket options = SO_KEEPALIVE SO_BROADCAST TCP_NODELAY
> IPTOS_THROUGHPUT
> dns proxy = No
> idmap uid = 16777216-33554431
> idmap gid = 16777216-33554431
> cups options = raw
> oplocks = No
> level2 oplocks = No
> 
> [homes]
> comment = Home Directories
> read only = No
> create mask = 0664
> directory mask = 0775
> 
> Any help gladly received as it is taking some of my users half an hour
> to disconnect from their previously mapped shares and to reconnect to
> them.
> 
> The problem persists if a user logs out and back in again and after a
> Windows client machine reboot.
> 
> Regards
> 
> Gary
> 
> - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 
> - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 
> - - - - - - -
> Th

[Samba] Samba authentication slow after upgrade to Samba 3

[Mansell, Gary]

Hi,

I have just upgraded a server from Samba 2 to Samba 3 and some of the
Windows clients are taking a long time to authenticate shares (1 or 2
minutes). Eventually the username/password box appears and then when you
enter a correct password, all is fine - it is just the initial
authentication.

This is a simple UNIX password Samba server (with NIS) and I have set it
to not use encrypted passwords.

I get these errors, repeatedly, in the messages file:

[2007/06/01 08:29:26, 2] auth/pampass.c:smb_pam_auth(514)
  smb_pam_auth: PAM: Athentication Error for user mcr3
[2007/06/01 08:29:26, 2] auth/pampass.c:smb_pam_error_handler(73)
  smb_pam_error_handler: PAM: Authentication Failure : Authentication
failure
[2007/06/01 08:29:26, 0] auth/pampass.c:smb_pam_passcheck(810)
  smb_pam_passcheck: PAM: smb_pam_auth failed - Rejecting User mcr3 !


Here is my testparm output:

# Global parameters
[global]
workgroup = DFGSRV
server string = dfgsrv Samba Server %v
encrypt passwords = No
password level = 8
username level = 8
log level = 2
log file = /var/log/samba/%m.log
max log size = 200
deadtime = 30
socket options = SO_KEEPALIVE SO_BROADCAST TCP_NODELAY
IPTOS_THROUGHPUT
dns proxy = No
idmap uid = 16777216-33554431
idmap gid = 16777216-33554431
cups options = raw
oplocks = No
level2 oplocks = No

[homes]
comment = Home Directories
read only = No
create mask = 0664
directory mask = 0775

Any help gladly received as it is taking some of my users half an hour
to disconnect from their previously mapped shares and to reconnect to
them.

The problem persists if a user logs out and back in again and after a
Windows client machine reboot.

Regards

Gary

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 
- - - - -
This e-mail and any files transmitted with it are confidential and intended 
solely for the use of the individual or entity to whom they are addressed.If 
you have received this e-mail in error please notify the sender immediately and 
delete this e-mail from your system.Please note that any views or opinions 
presented in this e-mail are solely those of the author and do not necessarily 
represent those of Ricardo (save for reports and other documentation formally 
approved and signed for release to the intended recipient).Only Directors are 
authorised to enter into legally binding obligations on behalf of Ricardo. 
Ricardo may monitor outgoing and incoming e-mails and other telecommunications 
systems.
By replying to this e-mail you give consent to such monitoring.The recipient 
should check e-mail and any attachments for the presence of viruses. Ricardo 
accepts no liability for any damage caused by any virus transmitted by this 
e-mail. "Ricardo" means Ricardo plc and its subsidiary companies.
Ricardo plc is a public limited company registered in England with registered 
number 00222915.
The registered office of Ricardo plc is Shoreham Technical Centre, Shoreham-by 
Sea, West Sussex, BN43 5FG.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 
- - - - - 
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

[Samba] Samba Authentication Using Novell eDirectory via LDAP

[McGlynn, Sean \(DOB\)]

Hello,
 
We have a RHEL 4 Update 4 server that was configured to store its Samba
passwords in eDirectory via LDAP.  This was accomplished by adding the
following three lines to the [Global] section of smb.conf:

ldap admin dn = cn=admin,o=budget
ldap suffix = o=budget
passdb backend = ldapsam:ldaps://SERVER_NAME:636

After adding the lines and saving the file the admin password is stored
using smbpasswd -w, the /etc/samba/smbpasswd was renamed to
old_smbpasswd, and the smb service is started.

This worked as desired, allowing Samba user passwords to be stored in
the corresponding user's eDirectory user object.  An additional effect,
although I'm not sure if it was expected or not, is that the password
can be changed by the Novell Change Password facility available by doing
a Ctrl+Alt+Del from a user's Windows workstation.  The server appears as
a available resource, and the password can be changed along with
changing the Novell password, keeping them in sync.

As we were not ready to permanently effect this change we undid
everything, removing the three lines and renaming the smbpasswd back to
its original name.  What is unexpected is that we can now change the
Samba passwords being stored in /etc/samba/smbpasswd using the same
Novell Change Password facility.  While that's not necessarily a bad
thing, I appreciate anyone who can explain why it is working.

What we're stumped by is we've now set up a second RHEL 4 server that we
believe we've set up identically to the original, and it does store the
Samba password in eDirectory, but we don't see the server in the Novell
Change Password facility so that our users can change their own Samba
passwords.  It's been four months between implementations, and while we
documented the process, perhaps we forgot something.  Does anyone know
why this is not working for our second server, or what we may have
forgotten to do?

Our full smb.conf file follows.  The only thing I would point out is we
copied the file from the other server, changing only the SERVER_NAME,
and the name of the first share definition [NEWSAS].  We did not change
the idmap uid or gid--is that a problem?

[global]
dns proxy = no
encrypt passwords = yes
workgroup = workgroup
security = user
idmap uid = 16777216-33554431
idmap gid = 16777216-33554431
template shell = /bin/false
winbind use default domain = no
ldap admin dn = cn=admin,o=budget
ldap suffix = o=budget
passdb backend = ldapsam:ldaps://SERVER_NAME:636
[NEWSAS]
comment  = new sas server
path = /
read only = no
valid users = sukmcgl
browseable = yes
hosts allow = 127.0.0.1 10.57.
guest ok = no
[homes]
comment = Home Directories
valid users = %S
browseable = no
guest ok = no
read only = no

This e-mail, including any attachments, may be confidential, privileged or 
otherwise legally protected. If you have received this e-mail in error, or from 
someone who was not authorized to send it to you, do not disseminate, copy or 
otherwise use this e-mail or its attachments. Please notify the sender 
immediately if you have received this e-mail by mistake, and delete it from 
your system.
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

[Samba] Samba Authentication Using Novell eDirectory via LDAP

[[EMAIL PROTECTED]]

Hello,
 
We have a RHEL 4 Update 4 server that was configured to store its 
Samba passwords in eDirectory via LDAP.  This was accomplished by 
adding the following three lines to the [Global] section of smb.conf:

ldap admin dn = cn=admin,o=budget
ldap suffix = o=budget
passdb backend = ldapsam:ldaps://SERVER_NAME:636

After adding the lines and saving the file the admin password is 
stored using smbpasswd -w, the /etc/samba/smbpasswd was renamed to 
old_smbpasswd, and the smb service is started.

This worked as desired, allowing Samba user passwords to be stored in 
the corresponding user's eDirectory user object.  An additional effect, 
although I'm not sure if it was expected or not, is that the password 
can be changed by the Novell Change Password facility available by 
doing a Ctrl+Alt+Del from a user's Windows workstation.  The server 
appears as a available resource, and the password can be changed along 
with changing the Novell password, keeping them in sync.

As we were not ready to permanently effect this change we undid 
everything, removing the three lines and renaming the smbpasswd back to 
its original name.  What is unexpected is that we can now change the 
Samba passwords being stored in /etc/samba/smbpasswd using the same 
Novell Change Password facility.  While that's not necessarily a bad 
thing, I appreciate anyone who can explain why it is working.

What we're stumped by is we've now set up a second RHEL 4 server that 
we believe we've set up identically to the original, and it does store 
the Samba password in eDirectory, but we don't see the server in the 
Novell Change Password facility so that our users can change their own 
Samba passwords.  It's been four months between implementations, and 
while we documented the process, perhaps we forgot something.  Does 
anyone know why this is not working for our second server, or what we 
may have forgotten to do?

Our full smb.conf file follows.  The only thing I would point out is 
we copied the file from the other server, changing only the 
SERVER_NAME, and the name of the first share definition [NEWSAS].  We 
did not change the idmap uid or gid--is that a problem?

[global]
dns proxy = no
encrypt passwords = yes
workgroup = workgroup
security = user
idmap uid = 16777216-33554431
idmap gid = 16777216-33554431
template shell = /bin/false
winbind use default domain = no
ldap admin dn = cn=admin,o=budget
ldap suffix = o=budget
passdb backend = ldapsam:ldaps://SERVER_NAME:636
[NEWSAS]
comment  = new sas server
path = /
read only = no
valid users = sukmcgl
browseable = yes
hosts allow = 127.0.0.1 10.57.
guest ok = no
[homes]
comment = Home Directories
valid users = %S
browseable = no
guest ok = no
read only = no
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

Re: [Samba] Samba authentication w/o using /etc/passwd?

[Daniel Müller]

Hi,

Suse 10.1, Yast, authentication, choose samba

greetings
daniel
 Original-Nachricht 
Datum: Mon, 5 Mar 2007 09:05:19 -0800
Von: Young <[EMAIL PROTECTED]>
An: samba@lists.samba.org
CC: 
Betreff: [Samba] Samba authentication w/o using /etc/passwd?

> Hi,
> 
> 
> Is there a way to configure Samba w/o using /etc/passwd but only Samba's
> local password file only?
> 
> I'm looking for a simple way to configure it to avoid using /etc/passwd,
> if
> there's a way.
> 
> Thanks in advance!
> 
> 
> - Young
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/listinfo/samba

-- 
Der GMX SmartSurfer hilft bis zu 70% Ihrer Onlinekosten zu sparen! 
Ideal für Modem und ISDN: http://www.gmx.net/de/go/smartsurfer
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

[Samba] Samba authentication w/o using /etc/passwd?

[Young]

Hi,


Is there a way to configure Samba w/o using /etc/passwd but only Samba's
local password file only?

I'm looking for a simple way to configure it to avoid using /etc/passwd, if
there's a way.

Thanks in advance!


- Young
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

[Samba] Samba Authentication & Trust Relationship Problem

[S Mohan]

Dear SAMBA Mailing List

I am using Samba samba-3.0.9-1.3E.10, OS Centos 4.4

We have got the problem. when I am issuing a "net rpc trustdom list"
command  some time it is showing ok and sometime it is showing error
message. and some time not. It is  creating a problem to authenticate other
Samba workstartion to PDC Server.

1) [EMAIL 
PROTECTED]samba]#
net rpc trustdom list
   Password:
  Trusted domains list:

CSWNS-1-5-21-4226246216-841769125-2743635684
CSWGS-1-5-21-2182516265-3119084770-3204029048

Trusting domains list:

[2007/02/27 07:47:43, 0] rpc_client/cli_pipe.c:rpc_api_pipe(435)
 cli_pipe: return critical error. Error was Call timed out: server did not
respond after 1 milliseconds
[2007/02/27 07:47:43, 0] utils/net_rpc.c:rpc_trustdom_list(4688)
 Couldn't enumerate accounts. Error was: NT_STATUS_UNSUCCESSFUL

2)
[EMAIL 
PROTECTED]samba]#
net rpc trustdom list
Password:
Could not connect to server PDCDEL
The username or password was not correct.
[2007/02/27 07:49:03, 0] utils/net_rpc.c:rpc_trustdom_list(4565)
 Couldn't connect to domain controller


3)
[EMAIL 
PROTECTED]samba]#
net rpc trustdom list
  Password:
  Trusted domains list:

CSWNS-1-5-21-4226246216-841769125-2743635684
CSWGS-1-5-21-2182516265-3119084770-3204029048

Trusting domains list:

CSWNS-1-5-21-4226246216-841769125-2743635684
CSWGS-1-5-21-2182516265-3119084770-3204029048
[EMAIL 
PROTECTED]samba]#
net rpc trustdom list
Password:
Trusted domains list:

CSWNS-1-5-21-4226246216-841769125-2743635684
CSWGS-1-5-21-2182516265-3119084770-3204029048

Trusting domains list:

CSWNS-1-5-21-4226246216-841769125-2743635684
CSWGS-1-5-21-2182516265-3119084770-3204029048


This is the log status (Output of /var/log/messages)
Feb 27 14:47:30 pdcdel samba(pam_unix)[12925]: session closed for user kth
Feb 27 14:47:30 pdcdel smbd[12913]: [2007/02/27 14:47:30, 0]
auth/auth_util.c:make_server_info_info3(1134)
Feb 27 14:47:30 pdcdel smbd[12913]:   make_server_info_info3: pdb_init_sam
failed!
Feb 27 14:47:30 pdcdel smbd[12913]: [2007/02/27 14:47:30, 0]
auth/auth_util.c:make_server_info_info3(1134)
Feb 27 14:47:30 pdcdel smbd[12913]:   make_server_info_info3: pdb_init_sam
failed!
Feb 27 14:47:30 pdcdel smbd[12913]: [2007/02/27 14:47:30, 0]
auth/auth_util.c:make_server_info_info3(1134)
Feb 27 14:47:30 pdcdel smbd[12913]:   make_server_info_info3: pdb_init_sam
failed!
Feb 27 14:47:30 pdcdel smbd[12913]: [2007/02/27 14:47:30, 0]
auth/auth_util.c:make_server_info_info3(1134)
Feb 27 14:47:30 pdcdel smbd[12913]:   make_server_info_info3: pdb_init_sam
failed!
Feb 27 14:47:30 pdcdel smbd[12913]: [2007/02/27 14:47:30, 0]
auth/auth_util.c:make_server_info_info3(1134)
Feb 27 14:47:30 pdcdel smbd[12913]:   make_server_info_info3: pdb_init_sam
failed!
Feb 27 14:47:31 pdcdel smbd[12913]: [2007/02/27 14:47:31, 0]
auth/auth_util.c:make_server_info_info3(1134)
Feb 27 14:47:31 pdcdel smbd[12913]:   make_server_info_info3: pdb_init_sam
failed!
Feb 27 14:47:31 pdcdel smbd[12913]: [2007/02/27 14:47:31, 0]
auth/auth_util.c:make_server_info_info3(1134)
Feb 27 14:47:31 pdcdel smbd[12913]:   make_server_info_info3: pdb_init_sam
failed!
Feb 27 14:47:31 pdcdel smbd[12913]: [2007/02/27 14:47:31, 0]
auth/auth_util.c:make_server_info_info3(1134)
Feb 27 14:47:31 pdcdel smbd[12913]:   make_server_info_info3: pdb_init_sam
failed!
Feb 27 14:47:31 pdcdel smbd[12913]: [2007/02/27 14:47:31, 0]
auth/auth_util.c:make_server_info_info3(1134)
Feb 27 14:47:31 pdcdel smbd[12913]:   make_server_info_info3: pdb_init_sam
failed!
Feb 27 14:47:31 pdcdel smbd[12913]: [2007/02/27 14:47:31, 0]
auth/auth_util.c:make_server_info_info3(1134)
Feb 27 14:47:31 pdcdel smbd[12913]:   make_server_info_info3: pdb_init_sam
failed!
Feb 27 14:47:31 pdcdel smbd[12913]: [2007/02/27 14:47:31, 0]
auth/auth_util.c:make_server_info_info3(1134)
Feb 27 14:47:31 pdcdel smbd[12913]:   make_server_info_info3: pdb_init_sam
failed!

Please Help.

--
S.Murli Mohan


"There are only two ways to lead your life -- one, let things happen in
their own way and tolerate it,
and second, take responsibility to change it"

Rang De Basanti.
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

[Samba] samba authentication problem

[mahesh pawar]

Hi all,

I am trying to configure samba (3.0.23d) on my linux machine. This
is my smb.conf file,

[global]
workgroup = BSIL
netbios name = MDT506
security = share
server string = samba testing
[data]
read only = No
guest ok = yes
path = /export
force user = mahesh.pawar
force group = users
comment = for everyone...


with this configuration I am able to access the share on samba If a
windows machine is logged in as a administrator.
If I log in with a user account (which is also stored in smbpasswd) I am
unable to access the samba share.

also I am not sure about the behavior of the samba, because if I change
the authentication in the configuration file it doesn't take effect.
but I can access the samba from other unix machine with the user account
I created in the smbpasswd file.

Guide me through the configuration as I think I have missed out
something, which is not letting me access the folder from windows user
account.

Regards,
Mahesh Pawar


-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

[Samba] SAMBA authentication

[Augusto Casagrande]

Hi I´m new here.
Here is my question : We have severals servers running on our net. We have
one Win NT4.0 (domain manager), one SUSE Linux 8.1 running Samba 2.28.
We need to validate user/pass from Win NT4.0 from , for example , an
external application ( made in Java ) .
Is there some command we can call , given an user and passwd ? ( for
instance : "validate user , pass, in_server" )
My english is not too good , I can explain more if anything is missing.
Regards!

Augusto
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

[Samba] samba authentication problem

[bob metcalf]

SunFreeWare Samba 3.0.10 on Solaris 10.  Installed,
and able to authenticate locally on the samba box
after 'smbpasswd -a userid'.

Butattempt to map a network drive from W2K
fails at authentication (the UNIX protocol in use
is NIS).  Heres' what's gacked up in the log file:

===
  check_ntlm_password:  Authentication for user
[rxmc1821] -> [rxmc1821] FAILED
with error NT_STATUS_NO_SUCH_USER

at the command line:
ypcat passwd | grep rxmc

rxmc1821:94taElXKZTzcc:4060:5600:Robert Metcalf
Contractor,4-:/usr2/cuser/rxmc1821:/bin/csh

===

Any help appreicated.

__
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around 
http://mail.yahoo.com 
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

[Samba] Samba authentication fails

[Mitch Pope]

Hello,

I have an unusual problem and I've only found a small amount of material 
after searching for other posts on this topic.  We have a production 
server running Samba version 2.2.7a which I'm told has been working 
perfectly for many years.  Every day over the last week Samba stops 
authenticating users (via Active Directory) requesting access to shares.

Specifically another production server (Windows 2000 SP4) has scripts that 
run nightly and pull data off the Samba shares of the BSD server (mapped 
network drive to the SMB share). 

Often it will loose it's mapping to the SMB share and when attempting to 
reconnect an error is returned "connection with the server cannot be 
established, device might be in use by another application".  At this 
point nothing can connect to the SMB shares, including an XP SP2 box. 

SMBD stays running, and does not die.

Restarting smbd fixes the problem for while (1 day or so).

I've checked smbd.log and found nothing unusual.

I'd prefer not to hear that upgrading Samba is the solution, it's been 
working and nothing has changed on the OS (BSD 4.11).  Server runs some 
very old business critical services that will not run under a newer OS 
release. 

Kind Regards,
Mitch Pope


**
This email message is intended for the named recipient(s) only. Please
advise GWA if you have received this email message in error and delete
all  copies.This  email  message  may  contain  information  which
represents the views  of  the sender and  not necessarily those of GWA
and/or  subsidiary companies.  Virus  protection  is  in  place at GWA
however liability for viruses or similar in any attachment remains the
responsibility of the recipient.  If you are the intended recipient of
this email message you should not copy, disclose  or  distribute  this
email message without the authority of GWA.  GWA cannot guarantee this
email message  has  not  been intercepted  or  interfered with  as  it
traverses the Internet.  Internet email messages sent to  GWA  are not
private communications  and may be viewed by GWA at any time to ensure
compliance with the  GWA Electronic Communications Policy available at
http://policy.gwail.com.au. Please be familiar with this policy if you
intend sending email to GWA or Subsidiary companies.
** 
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

Re: [Samba] Samba Authentication of Local Linux Users

[Michael Thrift]

Actually, I figured out what I wanted.  I wasn't expressing it well, 
mainly cause I couldn't think straight after staring at the monitor for 
so long.  Basically, what I didn't realize earlier is how pam_smbpasswd 
worked.  After stepping away from the problem for a few hours it hit me 
with a huge "DUR!"  pam_smbpasswd does exactly what I want.  Of course I 
don't want clear text passwords, so by using pam_smbpasswd it 
automagically keeps both files up-to-date when a user changes their pass 
through passwd (I recognize that I'm preaching to the choir).  Thanks 
for taking the time to read my post!


Mike.

Gordon Messmer wrote:

Michael Thrift wrote:
I am not authenticating domain users, or windows users, and I don't 
want to use smbpasswd.  Is there some way to force samba to 
authenticate against pam, and only pam?  My goal is to not add an 
administrative load whatsoever.


The last goal is not one you can achieve.

If you want to authenticate against PAM, you have to set "encrypt 
passwords = no".  Note, however, that the man page says:


  The use of plain text passwords is NOT advised as support
  for this feature is no longer maintained in Microsoft Win-
  dows products. If you want to use plain text passwords you
  must set this parameter to no.

Now, if you choose to set that option, you have to modify all of your 
clients, by importing the appropriate "PlainPassword.reg" file from 
the samba distribution.


So, basically, you have a choice between modifying how you manage and 
change passwords, so that you can support a secure login method for 
SMB, or changing the configuration of all of your windows clients 
considerably degrading security.



--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

Re: [Samba] Samba Authentication of Local Linux Users

[Gordon Messmer]

Michael Thrift wrote:
I am not authenticating domain 
users, or windows users, and I don't want to use smbpasswd.  Is there 
some way to force samba to authenticate against pam, and only pam?  My 
goal is to not add an administrative load whatsoever.


The last goal is not one you can achieve.

If you want to authenticate against PAM, you have to set "encrypt 
passwords = no".  Note, however, that the man page says:


  The use of plain text passwords is NOT advised as support
  for this feature is no longer maintained in Microsoft Win-
  dows products. If you want to use plain text passwords you
  must set this parameter to no.

Now, if you choose to set that option, you have to modify all of your 
clients, by importing the appropriate "PlainPassword.reg" file from the 
samba distribution.


So, basically, you have a choice between modifying how you manage and 
change passwords, so that you can support a secure login method for SMB, 
or changing the configuration of all of your windows clients 
considerably degrading security.

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

[Samba] Samba Authentication of Local Linux Users

[Michael Thrift]

Hi,
   I'm trying to setup a samba server that will serve linux shares out 
to users accross the network.  I'd like authentication to be done 
locally, and I want it to authenticate against pam using the already 
existing local linux user accounts.  I am not authenticating domain 
users, or windows users, and I don't want to use smbpasswd.  Is there 
some way to force samba to authenticate against pam, and only pam?  My 
goal is to not add an administrative load whatsoever.  Currently, I have 
my samba server setup, and I can access a global share okay.  But 
anytime I try and access my user home directory from the localhost 
itself with the command smbclient after providing my password I get a 
"NT_STATUS_LOGON_FAILURE," without a single log entry.  I've read 
http://samba.org/samba/docs/man/Samba-HOWTO-Collection/pam.html which 
says right at the beginning that it works for winbind, which I'm not 
interested in.  I just want to authenticate to pam, like ftp, or ssh, or 
anyother service authenticates to pam.  My /etc/pam.d looks good, and 
any help is greatly appreciated, I've spent a few hours on this with no 
success, I've searched every which way, and I just can seem to get it 
figured out.  Thanks in advance!


Mike.
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

[Samba] Samba authentication

[Renato Shimizu]

Hello all

I need some help about Nas Blade authentication mode with CIFS Active 
Directory.

My question is, if the PDC (DC Server Name) fail:
- Active Directory authentication will be able to connect BDC (Slave DC 
Server Name)?


Thanks in advance
Best regards...

Renato Shimizu.
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

[Samba] Samba authentication with ADS using msSFU3.5

[jason bigler]

First let me give my thanks inadvance for any help
offered

I am tasked with setting up a Samba server to
authenticate against the windows2003 ADS(LDAP server).
With the msSFU3.5 schema extensions already installed
and configured. 

We have an existing Samba server that is
authenticating against a MySQL LDAP server and is
working fine with a multi TB SAN hung off of the samba
server for home and user storage directories.

In the Samba 3.0 User's Guide chapter 13 (IDMAP) hits
on this subject but is not very definitive on what the
actual configs are/should be. Has there been any
further HowTos created for this type of scenerio? I
have searched high and low and cannot seem to get this
working GGRRR

I have had the samba authentication using Winbind up
and working perfectly however the requirement of the
locally cached mapping db is not an option that I can
use in production. Inaddition the multiple TB of
storage with permissions already set and the powers
above dictating the use of ADS. Thus forcing me to use
ADS with the schema extensions. 

thanks again,

jason
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

[Samba] Samba Authentication

[Nick Ward]

Hello,
 
I'm trying to setup my first Samba server on a Suse Linux system.  I
have configured by krb5.conf file and checked thing using kinit
[EMAIL PROTECTED] and it all worked.  I have configured Samba and joined it to
our windows domain using 'net ads join -u username%password' and this
seems to have worked fine.  I can use smblcient to connect to a Windows
share with no problem but when try to set samba as for linux
authentication I get a message telling me this host is not a member of
our domain and would I like to joint it.  (At this point when I browse I
don't see any domains)  I give the windows administrator username and
password and a box pops up saying 'error'.  Can anybody give me some
pointers on how to resolve this problem.
 
Thanks in advance.
 
Nick
 


This e-mail has been scanned for all viruses by Star. The
service is powered by MessageLabs. For more information on a proactive
anti-virus service working around the clock, around the globe, visit:
http://www.star.net.uk

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

[Samba] samba authentication behaves differently between windows and samba clients

[José M. Fandiño]

Hello,

 I'm using samba 3.0.11 and SuSE Enterprise Server 8 (SLES8). All
authentication tests using sambaclient works as expected, I can 
authenticate logon requests, but when I use windows 98 clients
authentification fails with some password lenghts  :-?. I know 
it sounds weird but I can reproduce it as many times as I want.

i.e:

password "aaa" -> smbclient - always works
   \> windows 98 - always works

password "" -> smbclient - always works
\> windows 98 - always fails

This makes sense to someone? 
I'm out of ideas and all suggestions and comments will 
be welcome, thank you.

log of a successfull login session:
http://195.55.55.164/tests/samba/yes.txt
and of a failed one:
http://195.55.55.164/tests/samba/no.txt

# testparm
Load smb config files from /etc/samba/smb.conf
Processing section "[homes]"
Processing section "[netlogon]"
Loaded services file OK.
Server role: ROLE_DOMAIN_PDC
Press enter to see a dump of your service definitions

# Global parameters
[global]
workgroup = BETA
interfaces = 127.0.0.1, eth0
bind interfaces only = Yes
passdb backend = ldapsam:ldap://atlas.servidores.fadesa
log level = 3 passdb:50 auth:50 winbind:2
use spnego = No
client use spnego = No
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
load printers = No
logon script = inicio.bat
logon path = \\%N\profiles\%U
logon drive = H:
domain logons = Yes
os level = 33
preferred master = Yes
domain master = Yes
wins support = Yes
ldap admin dn = cn=ora9i,ou=maquinas,ou=cuentas,dc=fadesa,dc=es
ldap group suffix = ou=grupos
ldap idmap suffix = cn=idmap,ou=samba,oui=aplicaciones
ldap machine suffix = ou=maquinas,ou=cuentas
ldap passwd sync = Yes
ldap suffix = dc=fadesa,dc=es
ldap ssl = no
ldap user suffix = ou=personas,ou=cuentas

[homes]
comment = Home Directories
path = /samba/%u
valid users = %S
read only = No
browseable = No

[netlogon]
comment = The domain netlogon service
path = /tmp
read only = No
guest ok = Yes
browseable = No


-- 
-BEGIN GEEK CODE BLOCK-
Version: 3.1
GCS/IT d- s+:+() a C+++ UBL+++$ P+ L+++ E--- W++ N+ o++ K- w---
O+ M+ V- PS+ PE+ Y++ PGP+>+++ t+ 5 X+$ R- tv-- b+++ DI D++>+++
G++ e- h+(++) !r !z
--END GEEK CODE BLOCK--
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

[Samba] Samba authentication fails unless unix account exists

[John Kakritz]

I've set up Samba 3.0.9 with ADS support and open LDAP 2.2.23 on freeBSD 
5.3.  I've got all the essential services working as far as i can tell.  
Nmbd, smbd, and winbindd are running.  I've created a machine account in 
the domain with the net ads join command.  Wbinfo -u returns a list of 
my AD domain users in the DOMAIN\username format Wbinfo -g returns my 
groups in the same format.  Changes to users and groups in AD all seem 
to propagate almost immediately.  My shares can be accessed with the 
appropriate permissions using my account. 

My problem is that users cannot authenticate to Samba unless an account 
with the same name (but not necessarily the same password) exists in the 
unix passwd file.  If i make an account that matches the AD domain 
account on the BSD box (even if it has a different password) then that 
user can authenticate via samba but if no unix account exists the user 
cannot authenticate.

For example, a
/wbinfo -a FULLY.QUALIFIED.DOMAIN//username%password/
returns
/
plaintext password authentication succeeded
challenge/response password authentication succeeded/
but a
/smbclient -L localhost -Uusername/
returns
/read_socket_with_timeout: timeout read. read error = Connection reset 
by peer.
session setup failed: Read error: Connection reset by peer/

any suggestions?
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

RE: [Samba] Samba authentication slow against PDC

[Chris Snider]

>The "x" in 3.0.x is interesting. There has been a serious optimization in
>3.0.10, significant more work there is to come in 3.0.11

>Volker

Actually the PDC and BDC are both running Samba v3.0.10 while the
troublesome server is running 3.0.9.  Commenting out the "username level"
setting seems to have fixed our issue.  I'm going to let the 3.0.9 server
run for awhile and see if the authentication problem comes up again.  If
everything runs smoothly then I'm a little reluctant to upgrade it since I'm
a firm believer in "if it's not broke don't fix it".  I'll also take a look
at the release notes for 3.0.10 and 3.0.11 to see if anything specifically
addresses the issue we were having.

Thanks,
Chris



--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

RE: [Samba] Samba authentication slow against PDC

[Chris Snider]

Just an update on what the fix for this problem was.  It was an entry called
"username level" which in our smb.conf file was set to 8.  This caused the
samba server to query ldap 256 times per user which caused the CPU on our
PDC/LDAP server to peg.  After setting this entry to 0 everything is working
as it should.

Chris   

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

Re: [Samba] Samba authentication slow against PDC

[Volker Lendecke]

On Mon, Jan 17, 2005 at 04:22:09PM -0600, Chris Snider wrote:
> We are currently running three Samba 3.0.x file servers which authenticate

The "x" in 3.0.x is interesting. There has been a serious optimization in
3.0.10, significant more work there is to come in 3.0.11

Volker
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

RE: [Samba] Samba authentication slow against PDC

[Chris Snider]

Paul,
Thanks for your reply.  

>How many clients do you have running against your server(s).
Just shy of 1000.  952 total clients.

> ever considered a BDC?
We do have a BDC although it doesn't take as much of a load off of our PDC
as I would like.  The PDC will run around 70% utilization during real busy
times, usually in the morning, while the BDC will be running around 30-40%.
People are still able to authenticate against the BDC and run their login
scripts from the BDC so I know it is working.  I was kicking around the idea
of having BDCs at each customer location however client authentication
doesn't seem to be the issue as much as our third samba server deciding if
the user has access to a share.

> What program is chewing up the most cpu when you're at 30%?
SMBD takes up 30% on the file server and SLAPD takes up to 70% on the PDC.
>How many distinct samba processes do you have going?
Didn't look on the file server but I know the PDC had 1200 LDAP connections
when it usually only has 200-500.  Once I rebooted the problematic Samba
server that number dropped to 170 or so.  I will check tomorrow and let you
know how many smbd processes I have running.

> Try dropping in with a console and seeing how well a command like getent
> passwd or getent group, or even an ls -alF responds.
When I run getent passwd from the problem file server it responds almost
immediately streaming user entries.  Same with getent group.  I can also do
id username and it returns information within 1 second.  A little slower
than if the PDC and Fileserver had no load on them but it wasn't painfully
slow.  I did notice that when I ran ls -al in /homes it took a real long
time(7 seconds) to display the directories.  I'm wondering if the samba
problem is because we have 1000 user home directories under /home.  I'm not
real familiar with the way Samba authenticates a user to access a share but
this could definitely be a problem.

> If it's slow then your LDAP link could be to blame.
Possibly, however our other 2 samba servers don't seem to have any issues
when the third one does.

>Make sure that you've got nscd running on your PDC.  
I didn't enable nscd since I've read nscd can chew up system resources and
cause stability issues.  Since we are having stability issues anyway I'll
enable it and let you know Tuesday if that made a difference.

I'll keep working on it and let you know if I find anything.

Thanks,
Chris

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

Re: [Samba] Samba authentication slow against PDC

[Paul Gienger]

We are currently running three Samba 3.0.x file servers which authenticate
against a Samba PDC running LDAP.  2 out of the 3 samba servers authenticate
quickly(<5 seconds) when using smbclient -L localhost -U username however
the third will eventually time out saying "Server did not respond in 2
milliseconds.  NetBIOS over TCP disabled" when there is any sort of load on
it ~30% cpu usage.  

How many clients do you have running against your server(s).  Have you 
ever considered a BDC?  What program is chewing up the most cpu when 
you're at 30%?   How many distinct samba processes do you have going?

Try dropping in with a console and seeing how well a command like getent 
passwd or getent group, or even an ls -alF responds.  If it's slow then 
your LDAP link could be to blame.  Make sure that you've got nscd 
running on your PDC.  Maybe you need to split your LDAP master off the 
machine (assuming it's not).

These are some guesses I've seen cause issues, but maybe with more load 
information as to what is chewing up your cpu it will be more clear.

--
--
Paul GiengerOffice: 701-281-1884
Applied Engineering Inc.
Systems Architect   Fax:701-281-1322
URL: www.ae-solutions.com   mailto: [EMAIL PROTECTED]
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

[Samba] Samba authentication slow against PDC

[Chris Snider]

We are currently running three Samba 3.0.x file servers which authenticate
against a Samba PDC running LDAP.  2 out of the 3 samba servers authenticate
quickly(<5 seconds) when using smbclient -L localhost -U username however
the third will eventually time out saying "Server did not respond in 2
milliseconds.  NetBIOS over TCP disabled" when there is any sort of load on
it ~30% cpu usage.  If there is no load on the server then authentication
still takes around 15 seconds using the smbclient command.  When the server
is under a load domain computers are unable to map drives when running their
login script although once authenticated they can browse and map drives
without issue.  The only way to fix the problem is to reboot the server
several times until all users get their drives mapped then everything is
fine.   The box in question is running Fedora core 2 with all patches
applied using yum.  If you need my configuration or any other information
please let me know. 

Thanks,
Chris

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba