Re: [Samba] Samba+LDAP: NT_STATUS_UNSUCCESSFUL because of primary group SID mismatch
Al 20/06/13 17:12, En/na Gaiseric Vandal ha escrit: If you want to centralize the samba accounts I think the proper way would be to use member servers. Just yesterday I had the same problem with a member server (running samba 3.6.15), pointing to the ldap server on the domain controller (3.5.2). No matter what I did, net setlocalsid seemed to do nothing. I don't remember what I did to finally solve it, I only know that I deleted secrets.tdb (and/or the rest of the tdb files) a million times, deleting the domain for the new server in ldap, and trying to set the localsid before joining the domain, and finally the member server got the same sid as the domain (also stored in ldap). I'm not convinced it's 100% working yet, (e.g. smbclient -L shows the workgroup but not the master) but at least it doesn't complain and I can see its shares. The funny thing is, I have another member server, which has been working fine (samba 3.5.6) for a while, yet yesterday, while trying to debug the new server, I discovered it complained about the same sid mismatch. Bye -- Luca Olivetti Wetron Automation Technology http://www.wetron.es Tel. +34 935883004 Fax +34 935883007 -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba+LDAP: NT_STATUS_UNSUCCESSFUL because of primary group SID mismatch
On Thu, 2013-06-20 at 10:26 +0200, Philipp Lies wrote: Hi, I'm trying to get my new samba server running for a few days now and I start losing my mind over not figuring out what I'm doing wrong. Here's my setup: OpenLDAP 2.4.21 server with ~15 groups and 100 users, all having a unix and a samba NT password stored in the LDAP as well as a User SID and Primary Group SID assigned and stored in the LDAP, derived from the SID of the LDAP Server. Now I want several samba servers to use the LDAP server to authenticate users. If you want multiple samba servers to use the same LDAP backend, they essentially all need to be domain controllers of the same domain. This is the supported way to have a single backend shared between multiple servers. You don't need to ever use the DC function from windows clients, but the servers need to think they are a DC. Andrew Bartlett -- Andrew Bartletthttp://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba+LDAP: NT_STATUS_UNSUCCESSFUL because of primary group SID mismatch
For me the better way would be, to run serveral openldap servers in master master replication on your DC and several BDC. And no headache about anything. Or just point your BSCs to authenticate against the DCs openldap. But when your DC is down your authentication is gone. Greetings Daniel --- EDV Daniel Müller Leitung EDV Tropenklinik Paul-Lechler-Krankenhaus Paul-Lechler-Str. 24 72076 Tübingen Tel.: 07071/206-463, Fax: 07071/206-499 eMail: muel...@tropenklinik.de Internet: www.tropenklinik.de --- -Ursprüngliche Nachricht- Von: samba-boun...@lists.samba.org [mailto:samba-boun...@lists.samba.org] Im Auftrag von Andrew Bartlett Gesendet: Freitag, 21. Juni 2013 09:58 An: Philipp Lies Cc: samba@lists.samba.org Betreff: Re: [Samba] Samba+LDAP: NT_STATUS_UNSUCCESSFUL because of primary group SID mismatch On Thu, 2013-06-20 at 10:26 +0200, Philipp Lies wrote: Hi, I'm trying to get my new samba server running for a few days now and I start losing my mind over not figuring out what I'm doing wrong. Here's my setup: OpenLDAP 2.4.21 server with ~15 groups and 100 users, all having a unix and a samba NT password stored in the LDAP as well as a User SID and Primary Group SID assigned and stored in the LDAP, derived from the SID of the LDAP Server. Now I want several samba servers to use the LDAP server to authenticate users. If you want multiple samba servers to use the same LDAP backend, they essentially all need to be domain controllers of the same domain. This is the supported way to have a single backend shared between multiple servers. You don't need to ever use the DC function from windows clients, but the servers need to think they are a DC. Andrew Bartlett -- Andrew Bartletthttp://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba+LDAP: NT_STATUS_UNSUCCESSFUL because of primary group SID mismatch
Thanks for the recommendations! I was hoping that there'd be a simple solution/config parameter to force the samba server trust the LDAP (it's still puzzling me why the other machines I have do work like that). I'll try to set up my new servers as DCs and see how this goes. The idea with using the samba servers for LDAP replication as well sounds interesting. I'll look into that as well. Thanks! Philipp On 21.06.2013 10:23, Daniel Müller wrote: For me the better way would be, to run serveral openldap servers in master master replication on your DC and several BDC. And no headache about anything. Or just point your BSCs to authenticate against the DCs openldap. But when your DC is down your authentication is gone. Greetings Daniel --- EDV Daniel Müller Leitung EDV Tropenklinik Paul-Lechler-Krankenhaus Paul-Lechler-Str. 24 72076 Tübingen Tel.: 07071/206-463, Fax: 07071/206-499 eMail: muel...@tropenklinik.de Internet: www.tropenklinik.de --- -Ursprüngliche Nachricht- Von: samba-boun...@lists.samba.org [mailto:samba-boun...@lists.samba.org] Im Auftrag von Andrew Bartlett Gesendet: Freitag, 21. Juni 2013 09:58 An: Philipp Lies Cc: samba@lists.samba.org Betreff: Re: [Samba] Samba+LDAP: NT_STATUS_UNSUCCESSFUL because of primary group SID mismatch On Thu, 2013-06-20 at 10:26 +0200, Philipp Lies wrote: Hi, I'm trying to get my new samba server running for a few days now and I start losing my mind over not figuring out what I'm doing wrong. Here's my setup: OpenLDAP 2.4.21 server with ~15 groups and 100 users, all having a unix and a samba NT password stored in the LDAP as well as a User SID and Primary Group SID assigned and stored in the LDAP, derived from the SID of the LDAP Server. Now I want several samba servers to use the LDAP server to authenticate users. If you want multiple samba servers to use the same LDAP backend, they essentially all need to be domain controllers of the same domain. This is the supported way to have a single backend shared between multiple servers. You don't need to ever use the DC function from windows clients, but the servers need to think they are a DC. Andrew Bartlett -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Samba+LDAP: NT_STATUS_UNSUCCESSFUL because of primary group SID mismatch
Hi, I'm trying to get my new samba server running for a few days now and I start losing my mind over not figuring out what I'm doing wrong. Here's my setup: OpenLDAP 2.4.21 server with ~15 groups and 100 users, all having a unix and a samba NT password stored in the LDAP as well as a User SID and Primary Group SID assigned and stored in the LDAP, derived from the SID of the LDAP Server. Now I want several samba servers to use the LDAP server to authenticate users. One samba server is a CentOS 6.3 configured with NSS/PAM using the ldap server. getent passwd/group returns all users and ssh to the samba machine works for all users. Samba is v3.6.9-151.el6. Now here's the smb.conf (I removed the shares): [global] workgroup = X security = user passdb backend = ldapsam:ldap://myldapserver ldap suffix = dc=mydomain,dc=com ldap admin dn = cn=replicator,dc=mydomain,dc=com ldap user suffix = ou=users ldap group suffix = ou=groups ldap machine suffix = ou=computers ldap ssl = start tls The ldap connection works, as `pdbedit -L` shows pm_process() returned Yes smbldap_search_domain_info: Searching for:[((objectClass=sambaDomain)(sambaDomainName=SAMBAHOSTNAME))] StartTLS issued: using a TLS connection smbldap_open_connection: connection opened ldap_connect_system: successful connection to the LDAP server The LDAP server is successfully connected smbldap_search_paged: base = [dc=mydomain,dc=com], filter = [((uid=*)(objectclass=sambaSamAccount))],scope = [2], pagesize = [1024] smbldap_search_paged: search was successful sid S-1-5-21-[LDAPSID]-5168 does not belong to our domain and then the last message repeats for all uids. Using `smbclient -L localhost -U someid` the log file says: check_ntlm_password: Checking password for unmapped user [XXX]\[someid]@[SAMBAHOST] with the new password interface check_ntlm_password: mapped user is: [SAMBAHOST]\[someid]@[SAMBAHOST] StartTLS issued: using a TLS connection smbldap_open_connection: connection opened ldap_connect_system: successful connection to the LDAP server The LDAP server is successfully connected init_sam_from_ldap: Entry found for user: someid Home server: SAMBAHOST Home server: SAMBAHOST init_group_from_ldap: Entry found for group: 1011 init_group_from_ldap: Entry found for group: 1011 Primary group S-1-5-21-[LDAPSID]-1000 for user someid is a UNKNOWN and not a domain group Forcing Primary Group to 'Domain Users' for someid ntlm_password_check: Checking NTLMv2 password with domain [CIN] sam_account_ok: Checking SMB password for user someid The primary group domain sid(S-1-5-21-[LOCALSID]-513) does not match the domain sid(S-1-5-21-[LDAPSID]) for someid(S-1-5-21-[LDAPSID]-5708) check_sam_security: make_server_info_sam() failed with 'NT_STATUS_UNSUCCESSFUL' check_ntlm_password: Authentication for user [someid] - [someid] FAILED with error NT_STATUS_UNSUCCESSFUL What I see here is that the samba server does not recognize the primary group of the user (which is an existing group in the LDAP) and therefor maps the primary group to its local Domain Users group which then obviously does not match the domainSID of the userid. But why doesn't the samba server recognize the group? Or is there a different underlying problem? What I tried so far: Changing the SID of the samba server to the SID of the LDAP server, but `net setlocalsid S-...` did not change the local SID. No error message, just executed successfully but getlocalsid returned the old SID. Setting the domainsid of the samba server to the SID of the ldap server. `net setdomainsid S-...` was successful but the samba server still refuses to authenticate the users. Tried adding the server to the domain with `net join XXX` but the answer was just standalone server cannot join domain. I tried to run `smbpasswd -a` to add the user to the local samba db (even though this would not be an option for the final solution, but that's what other users recommended), but the error didn't change. How can I either tell samba to ignore the domain SID mismatch or force samba to have the same SID as the LDAP? Or would this cause other problems if ~10 Samba Server and the LDAP in the end all have the exact same SID? Strangely I have debian/ubuntu servers where I have the same configuration but there it works. The difference I see is that in the debian system after the Primary Group ... is UNKNOWN there is no forcing to Domain Users as group and samba just checks the password of the user and doesn't care about the primary group SID. Any ideas what I'm missing there? Philipp -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba+LDAP: NT_STATUS_UNSUCCESSFUL because of primary group SID mismatch
If I follow correctly the LDAP server is NOT in the domain? The Samba accounts should be using the SID of the Samba PDC not the SID of the LDAP server. This of course means that a Samba member server can't use the same LDAP back end (at least for Samba authentication.) Long and short - I found it easiest to have LDAP server on the same machine as the DC. I have one PDC and one BDC (sometimes 2 BDC's.) Each PDC uses its own ldap server and the ldap servers are configure for replication. The simplest solution may be to set the local and domain sid of the LDAP server to the same sid as the DC, and join the LDAP server to the domain as a DC. On 06/20/13 04:26, Philipp Lies wrote: Hi, I'm trying to get my new samba server running for a few days now and I start losing my mind over not figuring out what I'm doing wrong. Here's my setup: OpenLDAP 2.4.21 server with ~15 groups and 100 users, all having a unix and a samba NT password stored in the LDAP as well as a User SID and Primary Group SID assigned and stored in the LDAP, derived from the SID of the LDAP Server. Now I want several samba servers to use the LDAP server to authenticate users. One samba server is a CentOS 6.3 configured with NSS/PAM using the ldap server. getent passwd/group returns all users and ssh to the samba machine works for all users. Samba is v3.6.9-151.el6. Now here's the smb.conf (I removed the shares): [global] workgroup = X security = user passdb backend = ldapsam:ldap://myldapserver ldap suffix = dc=mydomain,dc=com ldap admin dn = cn=replicator,dc=mydomain,dc=com ldap user suffix = ou=users ldap group suffix = ou=groups ldap machine suffix = ou=computers ldap ssl = start tls The ldap connection works, as `pdbedit -L` shows pm_process() returned Yes smbldap_search_domain_info: Searching for:[((objectClass=sambaDomain)(sambaDomainName=SAMBAHOSTNAME))] StartTLS issued: using a TLS connection smbldap_open_connection: connection opened ldap_connect_system: successful connection to the LDAP server The LDAP server is successfully connected smbldap_search_paged: base = [dc=mydomain,dc=com], filter = [((uid=*)(objectclass=sambaSamAccount))],scope = [2], pagesize = [1024] smbldap_search_paged: search was successful sid S-1-5-21-[LDAPSID]-5168 does not belong to our domain and then the last message repeats for all uids. Using `smbclient -L localhost -U someid` the log file says: check_ntlm_password: Checking password for unmapped user [XXX]\[someid]@[SAMBAHOST] with the new password interface check_ntlm_password: mapped user is: [SAMBAHOST]\[someid]@[SAMBAHOST] StartTLS issued: using a TLS connection smbldap_open_connection: connection opened ldap_connect_system: successful connection to the LDAP server The LDAP server is successfully connected init_sam_from_ldap: Entry found for user: someid Home server: SAMBAHOST Home server: SAMBAHOST init_group_from_ldap: Entry found for group: 1011 init_group_from_ldap: Entry found for group: 1011 Primary group S-1-5-21-[LDAPSID]-1000 for user someid is a UNKNOWN and not a domain group Forcing Primary Group to 'Domain Users' for someid ntlm_password_check: Checking NTLMv2 password with domain [CIN] sam_account_ok: Checking SMB password for user someid The primary group domain sid(S-1-5-21-[LOCALSID]-513) does not match the domain sid(S-1-5-21-[LDAPSID]) for someid(S-1-5-21-[LDAPSID]-5708) check_sam_security: make_server_info_sam() failed with 'NT_STATUS_UNSUCCESSFUL' check_ntlm_password: Authentication for user [someid] - [someid] FAILED with error NT_STATUS_UNSUCCESSFUL What I see here is that the samba server does not recognize the primary group of the user (which is an existing group in the LDAP) and therefor maps the primary group to its local Domain Users group which then obviously does not match the domainSID of the userid. But why doesn't the samba server recognize the group? Or is there a different underlying problem? What I tried so far: Changing the SID of the samba server to the SID of the LDAP server, but `net setlocalsid S-...` did not change the local SID. No error message, just executed successfully but getlocalsid returned the old SID. Setting the domainsid of the samba server to the SID of the ldap server. `net setdomainsid S-...` was successful but the samba server still refuses to authenticate the users. Tried adding the server to the domain with `net join XXX` but the answer was just standalone server cannot join domain. I tried to run `smbpasswd -a` to add the user to the local samba db (even though this would not be an option for the final solution, but that's what other users recommended), but the error didn't change. How can I either tell samba to ignore the domain SID mismatch or force samba to have the same SID as the LDAP? Or would this cause
Re: [Samba] Samba+LDAP: NT_STATUS_UNSUCCESSFUL because of primary group SID mismatch
You might look into net getlocalsid, net getdomainsid, net setlocalsid and net setdomainsid commands, you may be able to set the samba servers the same as your ldap sid... just a though. Remember, messing around with SID's can cause major issues, so export all sids to file and be ready set them back if everything goes wrong. (net getdomainsid sidbackup.txt to export them on the samba side of things) Ricky On Thu, Jun 20, 2013 at 8:04 AM, Gaiseric Vandal gaiseric.van...@gmail.comwrote: If I follow correctly the LDAP server is NOT in the domain? The Samba accounts should be using the SID of the Samba PDC not the SID of the LDAP server. This of course means that a Samba member server can't use the same LDAP back end (at least for Samba authentication.) Long and short - I found it easiest to have LDAP server on the same machine as the DC. I have one PDC and one BDC (sometimes 2 BDC's.) Each PDC uses its own ldap server and the ldap servers are configure for replication. The simplest solution may be to set the local and domain sid of the LDAP server to the same sid as the DC, and join the LDAP server to the domain as a DC. On 06/20/13 04:26, Philipp Lies wrote: Hi, I'm trying to get my new samba server running for a few days now and I start losing my mind over not figuring out what I'm doing wrong. Here's my setup: OpenLDAP 2.4.21 server with ~15 groups and 100 users, all having a unix and a samba NT password stored in the LDAP as well as a User SID and Primary Group SID assigned and stored in the LDAP, derived from the SID of the LDAP Server. Now I want several samba servers to use the LDAP server to authenticate users. One samba server is a CentOS 6.3 configured with NSS/PAM using the ldap server. getent passwd/group returns all users and ssh to the samba machine works for all users. Samba is v3.6.9-151.el6. Now here's the smb.conf (I removed the shares): [global] workgroup = X security = user passdb backend = ldapsam:ldap://myldapserver ldap suffix = dc=mydomain,dc=com ldap admin dn = cn=replicator,dc=mydomain,dc=**com ldap user suffix = ou=users ldap group suffix = ou=groups ldap machine suffix = ou=computers ldap ssl = start tls The ldap connection works, as `pdbedit -L` shows pm_process() returned Yes smbldap_search_domain_info: Searching for:[((objectClass=**sambaDomain)(sambaDomainName=**SAMBAHOSTNAME))] StartTLS issued: using a TLS connection smbldap_open_connection: connection opened ldap_connect_system: successful connection to the LDAP server The LDAP server is successfully connected smbldap_search_paged: base = [dc=mydomain,dc=com], filter = [((uid=*)(objectclass=**sambaSamAccount))],scope = [2], pagesize = [1024] smbldap_search_paged: search was successful sid S-1-5-21-[LDAPSID]-5168 does not belong to our domain and then the last message repeats for all uids. Using `smbclient -L localhost -U someid` the log file says: check_ntlm_password: Checking password for unmapped user [XXX]\[someid]@[SAMBAHOST] with the new password interface check_ntlm_password: mapped user is: [SAMBAHOST]\[someid]@[** SAMBAHOST] StartTLS issued: using a TLS connection smbldap_open_connection: connection opened ldap_connect_system: successful connection to the LDAP server The LDAP server is successfully connected init_sam_from_ldap: Entry found for user: someid Home server: SAMBAHOST Home server: SAMBAHOST init_group_from_ldap: Entry found for group: 1011 init_group_from_ldap: Entry found for group: 1011 Primary group S-1-5-21-[LDAPSID]-1000 for user someid is a UNKNOWN and not a domain group Forcing Primary Group to 'Domain Users' for someid ntlm_password_check: Checking NTLMv2 password with domain [CIN] sam_account_ok: Checking SMB password for user someid The primary group domain sid(S-1-5-21-[LOCALSID]-513) does not match the domain sid(S-1-5-21-[LDAPSID]) for someid(S-1-5-21-[LDAPSID]-**5708) check_sam_security: make_server_info_sam() failed with 'NT_STATUS_UNSUCCESSFUL' check_ntlm_password: Authentication for user [someid] - [someid] FAILED with error NT_STATUS_UNSUCCESSFUL What I see here is that the samba server does not recognize the primary group of the user (which is an existing group in the LDAP) and therefor maps the primary group to its local Domain Users group which then obviously does not match the domainSID of the userid. But why doesn't the samba server recognize the group? Or is there a different underlying problem? What I tried so far: Changing the SID of the samba server to the SID of the LDAP server, but `net setlocalsid S-...` did not change the local SID. No error message, just executed successfully but getlocalsid returned the old SID. Setting the domainsid of the samba server to the
Re: [Samba] Samba+LDAP: NT_STATUS_UNSUCCESSFUL because of primary group SID mismatch
OK. I understand (at least a little better.) So the correct behaviour would be for the standalone workgroup machines to say I don't know who DOMAIN/user1 is, so I will map to local user1. The standalone servers should be using LDAP for unix accounts put I don't think you really should use the common LDAP backend for samba accounts.You would need to use smbpasswd or pdbedit to create local samba users on each member server, which means the member server would each use a local tdb database not ldap for samba. If you want to centralize the samba accounts I think the proper way would be to use member servers. That being said, if the current set up is working on some machines but not others, I would run testparm -v on each domain member and see if there are differences on mapping behavior. Different os's may have slightly different versions of samba and the default smb.conf paramaters may have changed. Also run net groupmap list on each member server. You may need to explicitly set group mappings for key windows groups.(i.e. the group sid maps to a unix group.) e.g. # net groupmap list ... Administrators (S-1-5-32-544) - Builtin Admins Users (S-1-5-32-545) - Builtin Users getent group Builtin Admins Builtin Admins::544: # getent group Builtin Admins On 06/20/13 10:40, Philipp Lies wrote: On 20.06.2013 15:04, Gaiseric Vandal wrote: If I follow correctly the LDAP server is NOT in the domain? The Samba accounts should be using the SID of the Samba PDC not the SID of the LDAP server. This of course means that a Samba member server can't use the same LDAP back end (at least for Samba authentication.) The LDAP server is the PDC, however, there are no domain members. All my samba servers are standalone servers which are not domain members. This seems to work nicely with my debian machines but not the centos ones. On 06/20/13 04:26, Philipp Lies wrote: Hi, I'm trying to get my new samba server running for a few days now and I start losing my mind over not figuring out what I'm doing wrong. Here's my setup: OpenLDAP 2.4.21 server with ~15 groups and 100 users, all having a unix and a samba NT password stored in the LDAP as well as a User SID and Primary Group SID assigned and stored in the LDAP, derived from the SID of the LDAP Server. Now I want several samba servers to use the LDAP server to authenticate users. One samba server is a CentOS 6.3 configured with NSS/PAM using the ldap server. getent passwd/group returns all users and ssh to the samba machine works for all users. Samba is v3.6.9-151.el6. Now here's the smb.conf (I removed the shares): [global] workgroup = X security = user passdb backend = ldapsam:ldap://myldapserver ldap suffix = dc=mydomain,dc=com ldap admin dn = cn=replicator,dc=mydomain,dc=com ldap user suffix = ou=users ldap group suffix = ou=groups ldap machine suffix = ou=computers ldap ssl = start tls The ldap connection works, as `pdbedit -L` shows pm_process() returned Yes smbldap_search_domain_info: Searching for:[((objectClass=sambaDomain)(sambaDomainName=SAMBAHOSTNAME))] StartTLS issued: using a TLS connection smbldap_open_connection: connection opened ldap_connect_system: successful connection to the LDAP server The LDAP server is successfully connected smbldap_search_paged: base = [dc=mydomain,dc=com], filter = [((uid=*)(objectclass=sambaSamAccount))],scope = [2], pagesize = [1024] smbldap_search_paged: search was successful sid S-1-5-21-[LDAPSID]-5168 does not belong to our domain and then the last message repeats for all uids. Using `smbclient -L localhost -U someid` the log file says: check_ntlm_password: Checking password for unmapped user [XXX]\[someid]@[SAMBAHOST] with the new password interface check_ntlm_password: mapped user is: [SAMBAHOST]\[someid]@[SAMBAHOST] StartTLS issued: using a TLS connection smbldap_open_connection: connection opened ldap_connect_system: successful connection to the LDAP server The LDAP server is successfully connected init_sam_from_ldap: Entry found for user: someid Home server: SAMBAHOST Home server: SAMBAHOST init_group_from_ldap: Entry found for group: 1011 init_group_from_ldap: Entry found for group: 1011 Primary group S-1-5-21-[LDAPSID]-1000 for user someid is a UNKNOWN and not a domain group Forcing Primary Group to 'Domain Users' for someid ntlm_password_check: Checking NTLMv2 password with domain [CIN] sam_account_ok: Checking SMB password for user someid The primary group domain sid(S-1-5-21-[LOCALSID]-513) does not match the domain sid(S-1-5-21-[LDAPSID]) for someid(S-1-5-21-[LDAPSID]-5708) check_sam_security: make_server_info_sam() failed with 'NT_STATUS_UNSUCCESSFUL' check_ntlm_password: Authentication for user [someid] - [someid] FAILED with error
Re: [Samba] Samba + LDAP: Issue adding machine.
I would compare the LDAP attributes between a problem machine and a working machine.Each machine has to have a unique unix account name and SID. Normally you don't need to precreate the samba acct with smbpasswd -a -m or pdbedit. However it may help with the diagnostics to see what is not getting created. If you use smbpasswd or pdbedit to create the account, then use the ldap editor to fill in the missing attributes then you should be able to join the domain. Also double check that machine accounts are not being created in some other LDAP ou than you expected.you might be trying to fix one ldap entry while samba is creating one somewhere else. It gets tricky when you use smbpasswd or pdbedit to create an account and it sees some attributes ther On 06/14/13 07:49, Luis H. Forchesatto wrote: Hi Gaiseric Thanks for the reply. I believe the problem is not the flags but I will check them again as you suggested. I've found quite annoying this problem because is not on my network, it's on a remote network and I need to move physically to another place in order to test the environment, quite boring also. Regarding the sambaPrimaryGroupSID I'll check again but I believe it MAY be the problem :) Also, can this cause this problem? Another machine was already created previously... something like? 2013/6/10 Gaiseric Vandal gaiseric.van...@gmail.com mailto:gaiseric.van...@gmail.com I found that Samba 3.5.x has trouble creating the LDAP attributes correctly on new machine accounts . I think Samba 3.4.x was OK. Rejoining a machine to a domain was usually OK. You need may need to do a mix of account creation with smbpasswd and LDAP modification with the LDAP editor. It appears to incorrectly set sambaAccountFlags as [U] (user) instead of [W] (workstation). When attempting to join a machine to the domain you may get an error that the account already exists. Use an LDAP editor to make sure sambaAccountFlags is set to [W]. (You can used pbedit to verify the setting but not to change it to [W].) type: sambaAccountFlags value: [W ] If, when joining a domain, you get an error that the the specified network password is not correct. you may need to precreate the samba account attribues with the pdbedit or smbpasswd commands .Try the following on spooky #smbpasswd -x -m machinename #smbpasswd -a -m machinename You MAY also need to make sure that the sambaPrimaryGroupSID is also set. It should end with 515. type: sambaPrimaryGroupSID value:S-1-5-21-xxx-xxx-xxx-515 On 06/10/13 08:33, Luis H. Forchesatto wrote: Greetings. I've run into a trouble when trying to add a new Win7 machine on a domain. The domain is controlled by a server running Samba + LDAP (samba compiled with ldap support), on a Debian 5 OS at the local network. I've added the machine name to the LDAP three through phpldapadmin using the option Samba3 Machine on the related submenu and via terminal on samba. Then I renamed the new machine to match the computer name and tried to add it to the domain. When prompted for credentials to add the new machine I've informed the admin login and password and hit enter. The windows then returned the following error (something like): The junction operation was not well succeded. Maybe another existent machine account machine_account_name was created previously using anothet set of credentials. User another computer name or contact the admin to remove any obsolete conflicting account. Error: Access denied. Any ideas for the troubleshoot will be welcome. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- Att.* * Luis H. Forchesatto -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Samba + LDAP: Issue adding machine.
Greetings. I've run into a trouble when trying to add a new Win7 machine on a domain. The domain is controlled by a server running Samba + LDAP (samba compiled with ldap support), on a Debian 5 OS at the local network. I've added the machine name to the LDAP three through phpldapadmin using the option Samba3 Machine on the related submenu and via terminal on samba. Then I renamed the new machine to match the computer name and tried to add it to the domain. When prompted for credentials to add the new machine I've informed the admin login and password and hit enter. The windows then returned the following error (something like): The junction operation was not well succeded. Maybe another existent machine account machine_account_name was created previously using anothet set of credentials. User another computer name or contact the admin to remove any obsolete conflicting account. Error: Access denied. Any ideas for the troubleshoot will be welcome. -- Att.* *** Luis H. Forchesatto -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba + LDAP: Issue adding machine.
I found that Samba 3.5.x has trouble creating the LDAP attributes correctly on new machine accounts . I think Samba 3.4.x was OK. Rejoining a machine to a domain was usually OK. You need may need to do a mix of account creation with smbpasswd and LDAP modification with the LDAP editor. It appears to incorrectly set sambaAccountFlags as [U] (user) instead of [W] (workstation). When attempting to join a machine to the domain you may get an error that the account already exists. Use an LDAP editor to make sure sambaAccountFlags is set to [W]. (You can used pbedit to verify the setting but not to change it to [W].) type: sambaAccountFlags value: [W ] If, when joining a domain, you get an error that the the specified network password is not correct. you may need to precreate the samba account attribues with the pdbedit or smbpasswd commands .Try the following on spooky #smbpasswd -x -m machinename #smbpasswd -a -m machinename You MAY also need to make sure that the sambaPrimaryGroupSID is also set. It should end with 515. type: sambaPrimaryGroupSID value:S-1-5-21-xxx-xxx-xxx-515 On 06/10/13 08:33, Luis H. Forchesatto wrote: Greetings. I've run into a trouble when trying to add a new Win7 machine on a domain. The domain is controlled by a server running Samba + LDAP (samba compiled with ldap support), on a Debian 5 OS at the local network. I've added the machine name to the LDAP three through phpldapadmin using the option Samba3 Machine on the related submenu and via terminal on samba. Then I renamed the new machine to match the computer name and tried to add it to the domain. When prompted for credentials to add the new machine I've informed the admin login and password and hit enter. The windows then returned the following error (something like): The junction operation was not well succeded. Maybe another existent machine account machine_account_name was created previously using anothet set of credentials. User another computer name or contact the admin to remove any obsolete conflicting account. Error: Access denied. Any ideas for the troubleshoot will be welcome. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba, LDAP and replica
On 26/12/2012 22:33, Andrew Bartlett wrote: On Wed, 2012-12-26 at 08:36 -0200, TI wrote: Hi Guys, I have six Linux Servers running Samba 3 as PDC of our domain, in different locations. They are integrated through LDAP (which is configured to replicate over our VPN) and all responds to the same domain. So, wherever the user is, he will log in the same domain name. Now I'am planning to migrate to Samba 4. As Samba 4 manages it´s LDAP internally, what is the best approach to keep the same design I have today? Samba 4.0 can continue as-is, using your existing LDAP configuration, if you wish to maintain a 'classic' domain. To upgrade to an AD domain, you will need of course to use our internal LDAP. This is naturally multi-master replicated, so it should 'just work'. https://wiki.samba.org/index.php/Samba4/HOWTO#Migrating_an_Existing_Samba3_Domain_to_Samba4 https://wiki.samba.org/index.php/Samba4/HOWTO/Join_a_domain_as_a_DC The main thing to watch out is just as with Samba classic domains, the [netlogon] share (and [sysvol] in the AD case) is not replicated by Samba - you have to sync any changes around manually (eg rsync). We do have some support for the concept of Sites, but it isn't totally complete. So, you may wish to investigate closely to ensure it does enough to avoid swamping your VPN links. I wish you the very best with your upgrade. Feel free to come back with any issues you may have. Hi Andrew, We use the same kind of setup. We do extensively use ldap for sudo, automount, lemonldap, ... a bunch of services. Can we basically keep our LDAP directory without altering the schema and still benefit of samba4 features ? If this is completely ruled out, is there a smooth migration path to keep all those info in a LDAP directory (wether samba internal or external) ? Thanks -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Samba, LDAP and replica
Hi Guys, I have six Linux Servers running Samba 3 as PDC of our domain, in different locations. They are integrated through LDAP (which is configured to replicate over our VPN) and all responds to the same domain. So, wherever the user is, he will log in the same domain name. Now I'am planning to migrate to Samba 4. As Samba 4 manages it´s LDAP internally, what is the best approach to keep the same design I have today? Should I search for a way to keep Samba LDAPs replicated or there is better way, like configure remote Sambas instances to work as BDC ? Thank you, Edison -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba, LDAP and replica
On Wed, 2012-12-26 at 08:36 -0200, TI wrote: Hi Guys, I have six Linux Servers running Samba 3 as PDC of our domain, in different locations. They are integrated through LDAP (which is configured to replicate over our VPN) and all responds to the same domain. So, wherever the user is, he will log in the same domain name. Now I'am planning to migrate to Samba 4. As Samba 4 manages it´s LDAP internally, what is the best approach to keep the same design I have today? Samba 4.0 can continue as-is, using your existing LDAP configuration, if you wish to maintain a 'classic' domain. To upgrade to an AD domain, you will need of course to use our internal LDAP. This is naturally multi-master replicated, so it should 'just work'. https://wiki.samba.org/index.php/Samba4/HOWTO#Migrating_an_Existing_Samba3_Domain_to_Samba4 https://wiki.samba.org/index.php/Samba4/HOWTO/Join_a_domain_as_a_DC The main thing to watch out is just as with Samba classic domains, the [netlogon] share (and [sysvol] in the AD case) is not replicated by Samba - you have to sync any changes around manually (eg rsync). We do have some support for the concept of Sites, but it isn't totally complete. So, you may wish to investigate closely to ensure it does enough to avoid swamping your VPN links. I wish you the very best with your upgrade. Feel free to come back with any issues you may have. Thanks, Andrew Bartlett -- Andrew Bartletthttp://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] samba + ldap malfunction
hello, everybody after migrating the cfg file from samba version 3.2.5 to 3.5.6 mounting the share and browsing its directories takes a very long time (at least for the root folder and for the first time, after that it kind of stabilizes and works ok, file transfer speed is as it should be, though from time to time it is lagging) the only thing that caught my eye was a start tls error in the logs: ## Failed to issue the StartTLS instruction: Connect error ## I tried to disable tls when talking to ldap with ## ldap ssl = off ## but in this case I cannot access the shares anymore the log and testparm output - http://pastebin.com/xpaSTW7e if there are any ldap settings needed to troubleshoot this, I can make them available except implementing ssl, is there another option to make this work ? in the old setup it was running ok thanks for your time, petre -- Petre Bandac Network Scientist - pe...@kgb.ro -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba/LDAP appliance recommendation
Am Mon, 17 Sep 2012 04:35:39 +0800 schrieb Jeffrey Chan: Hi all, What's a good Samba+LDAP appliance these days for a small business? not using it myself: http://www.univention.de/ http://www.zentyal.org/ - Thomas -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba/LDAP appliance recommendation
On Mon, 2012-09-17 at 04:35 +0800, Jeffrey Chan wrote: Hi all, What's a good Samba+LDAP appliance these days for a small business? Currently I used a stock Ubuntu server and did all Samda/LDAP configuration manually. I'm looking for something that can allow my regular staff to use as well. 1. I tried most of the popular NAS distros, like FreeNAS, NAS4Free, OpenmediaVault, etc. Most of these NAS don't have an LDAP server built-in 2. I tried Openfiler, ClearOS and Zentyal which do have LDAP server built-in but I haven't gotten them to import my existing Samba/LDAP data yet. WIP. 3. I just discovered Artica NAS Appliance and Univention UCS, will be testing them this week. Do you guys know anything about these two distros? Sometimes I wonder if I even need LDAP, I migrated to LDAP before only to make it a little easier (though not by much) to edit samba account data (e.g. SID). I guess I'd like to have centralized authentication as well (clients include Windows, Mac OSX and Linux, maybe OpenVPN as well). Is there a simpler mode of centralized login operation? Or is LDAP the only viable solution? Samba 4.0 as an AD DC would be a good choice. Andrew Bartlett -- Andrew Bartletthttp://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Samba/LDAP appliance recommendation
Hi all, What's a good Samba+LDAP appliance these days for a small business? Currently I used a stock Ubuntu server and did all Samda/LDAP configuration manually. I'm looking for something that can allow my regular staff to use as well. 1. I tried most of the popular NAS distros, like FreeNAS, NAS4Free, OpenmediaVault, etc. Most of these NAS don't have an LDAP server built-in 2. I tried Openfiler, ClearOS and Zentyal which do have LDAP server built-in but I haven't gotten them to import my existing Samba/LDAP data yet. WIP. 3. I just discovered Artica NAS Appliance and Univention UCS, will be testing them this week. Do you guys know anything about these two distros? Sometimes I wonder if I even need LDAP, I migrated to LDAP before only to make it a little easier (though not by much) to edit samba account data (e.g. SID). I guess I'd like to have centralized authentication as well (clients include Windows, Mac OSX and Linux, maybe OpenVPN as well). Is there a simpler mode of centralized login operation? Or is LDAP the only viable solution? - Jeff -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Samba+LDAP: Minimal permissions for sambaLMPassword/sambaNTPassword attributes?
Hi, what are the minimum permissions for the attributes sambaLMPassword/sambaNTPassword for the the LDAP administrator account so that Samba is just enabled to use it for authentication with ldapsam backend. It seems like auth is not enough, is this true?! Thanks, Arokux -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba+LDAP: Minimal permissions for sambaLMPassword/sambaNTPassword attributes?
On Tuesday, 31.07.2012 at 12:11 +0200, Arokux B. wrote: what are the minimum permissions for the attributes sambaLMPassword/sambaNTPassword for the the LDAP administrator account so that Samba is just enabled to use it for authentication with ldapsam backend. It seems like auth is not enough, is this true?! Unlike a direct LDAP bind for a user when one can be sufficient with just detecting a successful bind, Samba needs to be able to compare the stored sambaLMPassword/sambaNTPassword hashes with the hash provided by the client. That requires 'read' access at a minimum. (For password changes via this avenue, I believe you'd need 'write', although I'm less certain about that: might depend on the password change mechanism being used.) Dave. -- Dave Ewart da...@ceu.ox.ac.uk Computing Manager, Cancer Epidemiology Unit University of Oxford / Cancer Research UK N 51.7516, W 1.2152 signature.asc Description: Digital signature -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] [SaMBa/LDAP] Password Policy
Hello everyone, I rewrite a topic because I need your help, Does someone has installed an password policy between LDAP and SaMBa ? Mine does'nt work :/, samba don't find the policy. But in the log i found : ldapsam_get_account_policy_from_ldap I've already put the overlay in slapd.conf. Thanks for your answers, Flake -- Cédric CARLEN Élève-ingénieur à TELECOM Lille 1 Promotion FI15 ☎ 06.59.42.81.55 -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba / LDAP : map uid to another field ?
I found « username map [script] » directive in smb.conf man page. I've tested P1234=jdoe and it's works. Next is to make a one line script to make this dynamic ^^ Another solution was to make a proxy LDAP instead of a replica. Thanks for the help ! If anyone have another idea, i'm open :) 2012/5/24 Sylvain debian.r...@gmail.com Unfortunaly, I cannot do this since the two attributes are different meaning and are used in another applications so maybe with a local LDAP replica and use of your tricks will works. I will try if there are no Samba solutions. Thanks :) 2012/5/24 miguelmeda...@sapo.pt I am not sure if you can act on the samba side. Maybe you should think the other way around. You can map one attribute to another inside the LDAP server. You would use the map attribute directive to map eduPersonPrincipalName to uid. Both logins would then authenticate against uid. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Samba / LDAP : map uid to another field ?
Hi ! I have an OpenLDAP where users DN are in the form « uid=P1234,ou=people,dc=example,dc=com » and where the login is in the « eduPersonPrincipalName » attribute (ex : jdoe). I have configured my system (Debian Squeeze) to authenticate against LDAP (libpam-ldapd + libnss-ldapd with a mapping uid-eduPersonPrincipalName), if I do « ssh jdoe@server », it's works great. Now I want to give Samba share to theses users so I configured Samba (3.5.6) to connect to LDAP but I cannot authenticate with eduPersonPrincipalName, if I use the « uid », it's works. I have searched for a mapping option in samba but I didn't found... Is it possible to map « uid » attribute to another attribute ? If yes, how ? Here the smb.conf : [global] server string = %h server obey pam restrictions = Yes passdb backend = ldapsam:ldap://192.168.102.153; pam password change = Yes passwd program = /usr/bin/passwd %u passwd chat = *Enter\snew\s*\spassword:* %n\n *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* . unix password sync = Yes syslog = 0 log file = /var/log/samba/log.%m max log size = 1000 domain logons = Yes domain master = Yes dns proxy = No ldap admin dn = cn=admin,dc=example,dc=fr ldap group suffix = ou=groups ldap passwd sync = yes ldap suffix = dc=example,dc=fr ldap ssl = no ldap user suffix = ou=people ldap debug level = 1 ldap debug threshold = 1 panic action = /usr/share/samba/panic-action %d [netlogon] path = /srv/samba/netlogon write list = P1234 browseable = No [profiles] path = /srv/samba/export/profiles valid users = %U read only = No create mask = 0600 directory mask = 0700 profile acls = Yes browseable = No [homes] comment = Home Directories valid users = %S create mask = 0700 directory mask = 0700 browseable = No [printers] comment = All Printers path = /var/spool/samba create mask = 0700 printable = Yes browseable = No [print$] comment = Printer Drivers path = /var/lib/samba/printers Here the slapd log which show the use of uid: May 24 15:34:08 docs-test slapd[623]: conn=1149 fd=19 ACCEPT from IP= 192.168.102.153:55825 (IP=0.0.0.0:389) May 24 15:34:08 docs-test slapd[623]: conn=1149 op=0 BIND dn=cn=admin,dc=example,dc=fr method=128 May 24 15:34:08 docs-test slapd[623]: conn=1149 op=0 BIND dn=cn=admin,dc=example,dc=fr mech=SIMPLE ssf=0 May 24 15:34:08 docs-test slapd[623]: conn=1149 op=0 RESULT tag=97 err=0 text= May 24 15:34:08 docs-test slapd[623]: conn=1149 op=1 SRCH base= scope=0 deref=0 filter=(objectClass=*) May 24 15:34:08 docs-test slapd[623]: conn=1149 op=1 SRCH attr=supportedControl May 24 15:34:08 docs-test slapd[623]: conn=1149 op=1 SEARCH RESULT tag=101 err=0 nentries=1 text= May 24 15:34:08 docs-test slapd[623]: conn=1149 op=2 SRCH base=dc=example,dc=fr scope=2 deref=0 filter=((uid=sderosiaux)(objectClass=sambaSamAccount)) May 24 15:34:08 docs-test slapd[623]: conn=1149 op=2 SRCH attr=uid uidNumber gidNumber homeDirectory sambaPwdLastSet sambaPwdCanChange sambaPwdMustChange sambaLogonTime sambaLogoffTime sambaKickoffTime cn sn displayName sambaHomeDrive sambaHomePath sambaLogonScript sambaProfilePath description sambaUserWorkstations sambaSID sambaPrimaryGroupSID sambaLMPassword sambaNTPassword sambaDomainName objectClass sambaAcctFlags sambaMungedDial sambaBadPasswordCount sambaBadPasswordTime sambaPasswordHistory modifyTimestamp sambaLogonHours modifyTimestamp uidNumber gidNumber homeDirectory loginShell gecos May 24 15:34:08 docs-test slapd[623]: conn=1149 op=2 SEARCH RESULT tag=101 err=0 nentries=0 text= May 24 15:34:08 docs-test slapd[623]: conn=1149 fd=19 closed (connection lost) Thanks for advice, Sylvain -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba / LDAP : map uid to another field ?
I am not sure if you can act on the samba side. Maybe you should think the other way around. You can map one attribute to another inside the LDAP server. You would use the map attribute directive to map eduPersonPrincipalName to uid. Both logins would then authenticate against uid. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba / LDAP : map uid to another field ?
Unfortunaly, I cannot do this since the two attributes are different meaning and are used in another applications so maybe with a local LDAP replica and use of your tricks will works. I will try if there are no Samba solutions. Thanks :) 2012/5/24 miguelmeda...@sapo.pt I am not sure if you can act on the samba side. Maybe you should think the other way around. You can map one attribute to another inside the LDAP server. You would use the map attribute directive to map eduPersonPrincipalName to uid. Both logins would then authenticate against uid. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba LDAP Failover
Am 02.04.2012 07:43, schrieb Massimiliano Perantoni: Hi, the distribution is a Debian 6 but I compiled samba myself against a self compiled openldap 2.4.26. Actually the only difference is the openldap client libraries version, I do use 2.3 instead of 2.4, but using getent, as I stated before, works... If I do getent passwd I get, with the failure, the immediate list of local users and, after a timeout, I get the users list from the secondary LDAP. I guess that nscd is working or, at least, the service is up and running: never understood how does the system decide to use it or not... For what I know if I disable the service nothing changes, so that I do not know if nscd is working or not... If I stop the LDAP I get the failover with getent, but I have to wait for the timeout set in ldap.conf. I honestly don't know what's going on there. I just wanted to make sure that at getent is really working and doesn't just look that way because nscd masks the problem. I guess your secondary 389 server doesn't show a connection attempt in the log when you simulate the failure of your first server ? You wrote that you don't use ssl - is this also true in ldap.conf ? The passdb backend line doesn't look different than yours (except the server names of course ;-)). You are not running nscd by chance ? If so does getent passwd work with a simulated ldap1 failure (via iptables) and nscd shut down ? I get a timeout seconds (actualy 5 secs) delay... Then the answer, while samba waits for the timeout set in smb.conf then fails. Ciao a grazie! Am 01.04.2012 23:47, schrieb Massimiliano Perantoni: Hi, could you send me the setup? Which lines did you add? Whici distro do you run? Thanks! Il 31 marzo 2012 22:11, Stephansteff...@gmx.deha scritto: Am 31.03.2012 20:56, schrieb Steve Thompson: On Sat, 31 Mar 2012, Massimiliano Perantoni wrote: Well, did not try, but guess it happens the same. Just for completeness, which version of samba did you use for ldap failover? I was using 3.0.33 at the time, on CentOS 5 x86_64. Not sure which revision of CentOS; it was a while ago. Steve My samba 3.5.9 DCs are pointed at a bunch of LDAP servers as well. I just tried (shut down the first LDAP server in the list) and it works as expected. Regards Stephan -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba LDAP Failover
Hi, could you send me the setup? Which lines did you add? Whici distro do you run? Thanks! Il 31 marzo 2012 22:11, Stephan steff...@gmx.de ha scritto: Am 31.03.2012 20:56, schrieb Steve Thompson: On Sat, 31 Mar 2012, Massimiliano Perantoni wrote: Well, did not try, but guess it happens the same. Just for completeness, which version of samba did you use for ldap failover? I was using 3.0.33 at the time, on CentOS 5 x86_64. Not sure which revision of CentOS; it was a while ago. Steve My samba 3.5.9 DCs are pointed at a bunch of LDAP servers as well. I just tried (shut down the first LDAP server in the list) and it works as expected. Regards Stephan -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- Massimiliano Perantoni http://www.perantoni.net tw: maxper75 -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba LDAP Failover
Hey, the distribution is a Debian 6 but I compiled samba myself against a self compiled openldap 2.4.26. The passdb backend line doesn't look different than yours (except the server names of course ;-)). You are not running nscd by chance ? If so does getent passwd work with a simulated ldap1 failure (via iptables) and nscd shut down ? Am 01.04.2012 23:47, schrieb Massimiliano Perantoni: Hi, could you send me the setup? Which lines did you add? Whici distro do you run? Thanks! Il 31 marzo 2012 22:11, Stephansteff...@gmx.de ha scritto: Am 31.03.2012 20:56, schrieb Steve Thompson: On Sat, 31 Mar 2012, Massimiliano Perantoni wrote: Well, did not try, but guess it happens the same. Just for completeness, which version of samba did you use for ldap failover? I was using 3.0.33 at the time, on CentOS 5 x86_64. Not sure which revision of CentOS; it was a while ago. Steve My samba 3.5.9 DCs are pointed at a bunch of LDAP servers as well. I just tried (shut down the first LDAP server in the list) and it works as expected. Regards Stephan -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba LDAP Failover
Hi, the distribution is a Debian 6 but I compiled samba myself against a self compiled openldap 2.4.26. Actually the only difference is the openldap client libraries version, I do use 2.3 instead of 2.4, but using getent, as I stated before, works... If I do getent passwd I get, with the failure, the immediate list of local users and, after a timeout, I get the users list from the secondary LDAP. I guess that nscd is working or, at least, the service is up and running: never understood how does the system decide to use it or not... For what I know if I disable the service nothing changes, so that I do not know if nscd is working or not... If I stop the LDAP I get the failover with getent, but I have to wait for the timeout set in ldap.conf. The passdb backend line doesn't look different than yours (except the server names of course ;-)). You are not running nscd by chance ? If so does getent passwd work with a simulated ldap1 failure (via iptables) and nscd shut down ? I get a timeout seconds (actualy 5 secs) delay... Then the answer, while samba waits for the timeout set in smb.conf then fails. Ciao a grazie! Am 01.04.2012 23:47, schrieb Massimiliano Perantoni: Hi, could you send me the setup? Which lines did you add? Whici distro do you run? Thanks! Il 31 marzo 2012 22:11, Stephansteff...@gmx.de ha scritto: Am 31.03.2012 20:56, schrieb Steve Thompson: On Sat, 31 Mar 2012, Massimiliano Perantoni wrote: Well, did not try, but guess it happens the same. Just for completeness, which version of samba did you use for ldap failover? I was using 3.0.33 at the time, on CentOS 5 x86_64. Not sure which revision of CentOS; it was a while ago. Steve My samba 3.5.9 DCs are pointed at a bunch of LDAP servers as well. I just tried (shut down the first LDAP server in the list) and it works as expected. Regards Stephan -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- Massimiliano Perantoni http://www.perantoni.net tw: maxper75 -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Samba LDAP Failover
Hi, I have a quite simple setup for a particular customer that loves redundancy and failover. PDC + BDC with LDAP Passwords on two 389-ds in multimaster node + several samba member servers Actually pointing singularly on both the systems everything works great. As soon as I modify my passdb backend line from the single form to the form containing both backends that is from passdb backend = ldapsam:ldap://ldap1; or passdb backend = ldapsam:ldap://ldap2; to passdb backend = ldapsam:ldap://ldap1 ldap://ldap2; I still authenticate on the first LDAP, but as soon I shut this off with iptables -I OUTPUT -p tcp --dport 389 -d ldap1 -j REJECT #Simulates, from the samba machine a failure in the service and, yes it is simple plain ol' LDAP, no TLS I get a timeout and an auth failure. This is the way I reproduce the problem #with the first ldap reachable smbclient -L pdc-01 -U maxper Password: Domain: [XX] everything works fine iptables -I OUTPUT -p tcp --dport 389 -j DROP smbclient -L pdc-01 -U maxper answers session setup failed: NT_STATUS_LOGON_FAILURE getent passwd works OK, gives both local and ldap users after the timeout set in ldap.conf, while samba just drops the authentication after the committed param ldap timeout = 8 after 8 secs, samba drops and gives that error. Samba is version 3.4.15, while the distro is CentOS 5.4 any help would be appreciated! Ciao Massimiliano -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba LDAP Failover
I don't think Samba (depending on the version) supports multiple ldap backends.You should have samba_server_1 using ldap_server_1 and samba_server_2 using ldap_server_2. -Original Message- From: samba-boun...@lists.samba.org [mailto:samba-boun...@lists.samba.org] On Behalf Of Massimiliano Perantoni Sent: Saturday, March 31, 2012 6:12 AM To: samba@lists.samba.org Subject: [Samba] Samba LDAP Failover Hi, I have a quite simple setup for a particular customer that loves redundancy and failover. PDC + BDC with LDAP Passwords on two 389-ds in multimaster node + several samba member servers Actually pointing singularly on both the systems everything works great. As soon as I modify my passdb backend line from the single form to the form containing both backends that is from passdb backend = ldapsam:ldap://ldap1; or passdb backend = ldapsam:ldap://ldap2; to passdb backend = ldapsam:ldap://ldap1 ldap://ldap2; I still authenticate on the first LDAP, but as soon I shut this off with iptables -I OUTPUT -p tcp --dport 389 -d ldap1 -j REJECT #Simulates, from the samba machine a failure in the service and, yes it is simple plain ol' LDAP, no TLS I get a timeout and an auth failure. This is the way I reproduce the problem #with the first ldap reachable smbclient -L pdc-01 -U maxper Password: Domain: [XX] everything works fine iptables -I OUTPUT -p tcp --dport 389 -j DROP smbclient -L pdc-01 -U maxper answers session setup failed: NT_STATUS_LOGON_FAILURE getent passwd works OK, gives both local and ldap users after the timeout set in ldap.conf, while samba just drops the authentication after the committed param ldap timeout = 8 after 8 secs, samba drops and gives that error. Samba is version 3.4.15, while the distro is CentOS 5.4 any help would be appreciated! Ciao Massimiliano -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba LDAP Failover
The matter is that, since the manual indicates so, it should be supported and delegated to the ldap api in use... The openldap api supports rebinding. The proof of it is that if in /etc/ldap.conf I put in the uri 2 ldap servers everything works fine. The matter seems that samba, even using such an infrastructure, doesn't work. I'd like at least to know if it is some mistake I do or it is just deprecated/never supported, just to go in other directions implementing other failover-by-hand systems. Thanks! Il 31 marzo 2012 14:37, Gaiseric Vandal gaiseric.van...@gmail.com ha scritto: I don't think Samba (depending on the version) supports multiple ldap backends. You should have samba_server_1 using ldap_server_1 and samba_server_2 using ldap_server_2. -Original Message- From: samba-boun...@lists.samba.org [mailto:samba-boun...@lists.samba.org] On Behalf Of Massimiliano Perantoni Sent: Saturday, March 31, 2012 6:12 AM To: samba@lists.samba.org Subject: [Samba] Samba LDAP Failover Hi, I have a quite simple setup for a particular customer that loves redundancy and failover. PDC + BDC with LDAP Passwords on two 389-ds in multimaster node + several samba member servers Actually pointing singularly on both the systems everything works great. As soon as I modify my passdb backend line from the single form to the form containing both backends that is from passdb backend = ldapsam:ldap://ldap1; or passdb backend = ldapsam:ldap://ldap2; to passdb backend = ldapsam:ldap://ldap1 ldap://ldap2; I still authenticate on the first LDAP, but as soon I shut this off with iptables -I OUTPUT -p tcp --dport 389 -d ldap1 -j REJECT #Simulates, from the samba machine a failure in the service and, yes it is simple plain ol' LDAP, no TLS I get a timeout and an auth failure. This is the way I reproduce the problem #with the first ldap reachable smbclient -L pdc-01 -U maxper Password: Domain: [XX] everything works fine iptables -I OUTPUT -p tcp --dport 389 -j DROP smbclient -L pdc-01 -U maxper answers session setup failed: NT_STATUS_LOGON_FAILURE getent passwd works OK, gives both local and ldap users after the timeout set in ldap.conf, while samba just drops the authentication after the committed param ldap timeout = 8 after 8 secs, samba drops and gives that error. Samba is version 3.4.15, while the distro is CentOS 5.4 any help would be appreciated! Ciao Massimiliano -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba LDAP Failover
On Sat, 31 Mar 2012, Gaiseric Vandal wrote: I don't think Samba (depending on the version) supports multiple ldap backends.You should have samba_server_1 using ldap_server_1 and samba_server_2 using ldap_server_2. Samba most certainly does support multiple LDAP backends. There's even an example in the smb.conf(5) man page. Steve -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba LDAP Failover
I'm exactly using that, without luck... -- Massimiliano Perantoni site: http://www.perantoni.net Il 31 marzo 2012 15:35, Steve Thompson s...@vgersoft.com ha scritto: On Sat, 31 Mar 2012, Gaiseric Vandal wrote: I don't think Samba (depending on the version) supports multiple ldap backends. You should have samba_server_1 using ldap_server_1 and samba_server_2 using ldap_server_2. Samba most certainly does support multiple LDAP backends. There's even an example in the smb.conf(5) man page. Steve -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba LDAP Failover
On Sat, 31 Mar 2012, Massimiliano Perantoni wrote: I'm exactly using that, without luck... Not sure what to tell you; I have used multiple LDAP servers in the past with success, although these days I use a single virtual LDAP server which load balances across a set of backend servers. What happens if you actually shut down the first LDAP server rather than REJECT it? Steve -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba LDAP Failover
Well, did not try, but guess it happens the same. Just for completeness, which version of samba did you use for ldap failover? Il 31 marzo 2012 19:04, Steve Thompson s...@vgersoft.com ha scritto: On Sat, 31 Mar 2012, Massimiliano Perantoni wrote: I'm exactly using that, without luck... Not sure what to tell you; I have used multiple LDAP servers in the past with success, although these days I use a single virtual LDAP server which load balances across a set of backend servers. What happens if you actually shut down the first LDAP server rather than REJECT it? Steve -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba LDAP Failover
On Sat, 31 Mar 2012, Massimiliano Perantoni wrote: Well, did not try, but guess it happens the same. Just for completeness, which version of samba did you use for ldap failover? I was using 3.0.33 at the time, on CentOS 5 x86_64. Not sure which revision of CentOS; it was a while ago. Steve -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba LDAP Failover
Am 31.03.2012 20:56, schrieb Steve Thompson: On Sat, 31 Mar 2012, Massimiliano Perantoni wrote: Well, did not try, but guess it happens the same. Just for completeness, which version of samba did you use for ldap failover? I was using 3.0.33 at the time, on CentOS 5 x86_64. Not sure which revision of CentOS; it was a while ago. Steve My samba 3.5.9 DCs are pointed at a bunch of LDAP servers as well. I just tried (shut down the first LDAP server in the list) and it works as expected. Regards Stephan -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] samba+ldap
I'm trying to combine samba + ldap, I was successful in another attempt what motivated me to create one. deb package that would make the whole process, I installed this package, the ldap dit was created successfully but when I try to insert a Windows machine in the Domain I get the message that the Referred Domain does not exist or can not be contacted. The system log does not log connections slapd in compensation log.nmbd the reports that my domain is ok, since I thought that might be the fact that before I used samba compiladod manually - with-ldap, now thank you. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] samba+ldap
I'm trying to combine samba + ldap, I was successful in another attempt what motivated me to create one. deb package that would make the whole process, I installed this package, the ldap dit was created successfully but when I try to insert a Windows machine in the Domain I get the message that the Referred Domain does not exist or can not be contacted. The system log does not log connections slapd in compensation log.nmbd the reports that my domain is ok, since I thought that might be the fact that before I used samba compiladod manually - with-ldap, now thank you. Are you trying to join a Windows 7 machine to the domain? If so, please see this page: http://wiki.samba.org/index.php/Windows7 -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] samba ldap domain member server with cifs and nfs
Hi samba lists, we have a samba-ldap domain running on a debian squeeze (samba 3.5.6)server (pdc and bdc). I try to configure a domain member server on an other debian squeeze that will serve as cifs and nfs server. My Debian server member use winbind (on ldap) for mapping the users windows sid to the unix uid. The users mapping is write in the the ldap directory : ou=idmap,dc=exemple,dc=com The unix uids provided by winbind are not the same than those used by the system (libnsss-ldap) winbind don't know the reel user uid. The result is that i can't use nfs with cifs because the system users uid (libnss-ldap) are different than those provided by winbind. it's seems that in samba 3.0.24 (debian etch) the uid in the idmap OU was the same that those in the USERS OU because i have some entry that are correct and i had domain member server in this samba version. Is there a way to synchronize unix uids with idmap uids? I plan to write a script that will write the entry in the idmap OU to have consistent uid mapping between libnss-ldap and cifs share. Note: my smb.conf [global] workgroup = foo security = DOMAIN server string = server1 #passdb backend = ldapsam:ldap://192.168.10.150 log level = 2 syslog = 0 log file = /var/log/samba/%m max log size = 0 smb ports = 139 name resolve order = wins bcast hosts wins server = 192.168.1.7 ldap suffix = dc=exemple,dc=com ldap machine suffix = ou=Machines ldap user suffix = ou=Users ldap group suffix = ou=Groups ldap idmap suffix = ou=Idmap ldap admin dn = cn=admin,dc=exemple,dc=com ldap timeout = 20 idmap backend = ldap:ldap://192.168.1.7 idmap uid = 1-2 idmap gid = 1-2 winbind trusted domains only = Yes winbind separator = / ldap ssl = off Thanks Best regards Guilhem --- Breaking News: Artprice launches electronic auctions More info http://web.artprice.com/classifieds/info?l=en Alerte Info: Artprice lance les ventes aux encheres realisees a distance par voie electronique Plus d'info http://web.artprice.com/classifieds/info?l=fr Artprice est operateur de courtage aux encheres realisees a distance par voie electronique (article 5 de la loi 2011-850 du 20 juillet 2011) --- Alchemy and Mysteries of Artprice --- View the video http://web.artprice.tv/video --- Artprice on twitter: http://twitter.com/artpricedotcom Ce message et toutes les pieces jointes sont des informations strictement confidentielles et reservees au(x) destinataire(s). Ce courriel n'a pas de valeur contractuelle et son contenu ne constitue ni une acceptation, ni un engagement de la part de l'auteur et des societes du groupe Serveur et Artprice, sauf dans le cas ou cela aurait ete prevu avec le destinataire par un accord ecrit. Le contenu de ce message et les pieces jointes ne peuvent constituer une preuve au sens de l'article 1316-1 du Code Civil. L'auteur et les societes du groupe Serveur et Artprice declinent toute responsabilite au titre de ce courriel s'il a ete altere, deforme, falsifie ou indument utilise par des tiers ou encore s'il a cause tout dommage ou perte de toute nature. Si vous n'etes pas le bon destinataire, merci de nous contacter et de ne pas le divulguer. This message including any attachments are confidential and privileged material intended solely for the addressees. Its contents do not constitute a commitment by groupe Serveur sas and Artprice SA, except when provided for in a written agreement with the addressees. The contents of this message cannot constitute neither the proof nor the acceptance of any agreement as per article 1316-1 of the French civil code. Groupe Serveur sas and Artprice SA shall not be rendered liable in any manner whatsoever for the delay and/or loss in transit of this message, for corruption, alteration, falsification, misuse or fraudulent use (which may be made) of this message. If you receive this message in error, please delete it and immediately notify the sender. If the reader of this message is not the intended recipient, you are hereby notified that any unauthorized use, copying or dissemination is prohibited. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] samba ldap domain member server with cifs and nfs
Hi samba lists, we have a samba-ldap domain running on a debian squeeze (samba 3.5.6)server (pdc and bdc). I try to configure a domain member server on an other debian squeeze that will serve as cifs and nfs server. My Debian server member use winbind (on ldap) for mapping the users windows sid to the unix uid. The users mapping is write in the the ldap directory : ou=idmap,dc=exemple,dc=com The unix uids provided by winbind are not the same than those used by the system (libnsss-ldap) winbind don't know the reel user uid. The result is that i can't use nfs with cifs because the system users uid (libnss-ldap) are different than those provided by winbind. it's seems that in samba 3.0.24 (debian etch) the uid in the idmap OU was the same that those in the USERS OU because i have some entry that are correct and i had domain member server in this samba version. Is there a way to synchronize unix uids with idmap uids? I plan to write a script that will write the entry in the idmap OU to have consistent uid mapping between libnss-ldap and cifs share. Note: my smb.conf [global] workgroup = foo security = DOMAIN server string = server1 #passdb backend = ldapsam:ldap://192.168.10.150 log level = 2 syslog = 0 log file = /var/log/samba/%m max log size = 0 smb ports = 139 name resolve order = wins bcast hosts wins server = 192.168.1.7 ldap suffix = dc=exemple,dc=com ldap machine suffix = ou=Machines ldap user suffix = ou=Users ldap group suffix = ou=Groups ldap idmap suffix = ou=Idmap ldap admin dn = cn=admin,dc=exemple,dc=com ldap timeout = 20 idmap backend = ldap:ldap://192.168.1.7 idmap uid = 1000-2 idmap gid = 1000-2 winbind trusted domains only = Yes winbind separator = / ldap ssl = off Thanks Best regards Guilhem --- Breaking News: Artprice launches electronic auctions More info http://web.artprice.com/classifieds/info?l=en Alerte Info: Artprice lance les ventes aux encheres realisees a distance par voie electronique Plus d'info http://web.artprice.com/classifieds/info?l=fr Artprice est operateur de courtage aux encheres realisees a distance par voie electronique (article 5 de la loi 2011-850 du 20 juillet 2011) --- Alchemy and Mysteries of Artprice --- View the video http://web.artprice.tv/video --- Artprice on twitter: http://twitter.com/artpricedotcom Ce message et toutes les pieces jointes sont des informations strictement confidentielles et reservees au(x) destinataire(s). Ce courriel n'a pas de valeur contractuelle et son contenu ne constitue ni une acceptation, ni un engagement de la part de l'auteur et des societes du groupe Serveur et Artprice, sauf dans le cas ou cela aurait ete prevu avec le destinataire par un accord ecrit. Le contenu de ce message et les pieces jointes ne peuvent constituer une preuve au sens de l'article 1316-1 du Code Civil. L'auteur et les societes du groupe Serveur et Artprice declinent toute responsabilite au titre de ce courriel s'il a ete altere, deforme, falsifie ou indument utilise par des tiers ou encore s'il a cause tout dommage ou perte de toute nature. Si vous n'etes pas le bon destinataire, merci de nous contacter et de ne pas le divulguer. This message including any attachments are confidential and privileged material intended solely for the addressees. Its contents do not constitute a commitment by groupe Serveur sas and Artprice SA, except when provided for in a written agreement with the addressees. The contents of this message cannot constitute neither the proof nor the acceptance of any agreement as per article 1316-1 of the French civil code. Groupe Serveur sas and Artprice SA shall not be rendered liable in any manner whatsoever for the delay and/or loss in transit of this message, for corruption, alteration, falsification, misuse or fraudulent use (which may be made) of this message. If you receive this message in error, please delete it and immediately notify the sender. If the reader of this message is not the intended recipient, you are hereby notified that any unauthorized use, copying or dissemination is prohibited. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] samba ldap domain member server with cifs and nfs
On 27/02/12 12:01, Guilhem Souque wrote: t's seems that in samba 3.0.24 (debian etch) the uid in the idmap OU was the same that those in the USERS OU because i have some entry that are correct and i had domain member server in this samba version. Is there a way to synchronize unix uids with idmap uids? Hi We got bad mappings when nscd was cache-ing the wrong uids. In the end, we decided against winbind and took the uid:gid directly from ldap. Turn off nscd? Cheers, Steve -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] samba ldap domain member server with cifs and nfs
From: Guilhem Souque gsou...@artprice.com Date: Mon, 27 Feb 2012 12:01:50 +0100 I try to configure a domain member server on an other debian squeeze that will serve as cifs and nfs server. (snip) The unix uids provided by winbind are not the same than those used by the system (libnsss-ldap) winbind don't know the reel user uid. The result is that i can't use nfs with cifs because the system users uid (libnss-ldap) are different than those provided by winbind. it's seems that in samba 3.0.24 (debian etch) the uid in the idmap OU was the same that those in the USERS OU because i have some entry that are correct and i had domain member server in this samba version. Is there a way to synchronize unix uids with idmap uids? (snip) winbind trusted domains only = Yes winbind trusted domains only is somewhat deprecated. You should use idmap_nss instead. --- TAKAHASHI Motonobu mo...@samba.gr.jp -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Samba LDAP passthrough authentication to another openLDAP
Hi all, I have a setup like this. Pls let me know if it's possible or not. SAMBA + Local LDAP --- SASLAUTHD -- Global LDAP Desc: I'd like to do Samba authentication to LDAP, passthrough to another LDAP using SASL. The current situation is: SSH authentication from LDAP user to that Samba box works. However, smb authentication doesn't work (yet). This is what's shown in syslog when doing Samba authentication: Feb 16 20:47:05 sglabldap slapd[1393]: = access_allowed: read access to uid=fajar,ou=people,dc=example,dc=com userPassword requested Feb 16 20:47:05 sglabldap slapd[1393]: = acl_get: [1] attr userPassword Feb 16 20:47:05 sglabldap slapd[1393]: = acl_mask: access to entry uid=fajar,ou=people,dc=example,dc=com, attr userPassword requested Feb 16 20:47:05 sglabldap slapd[1393]: = acl_mask: to value by , (=0) Feb 16 20:47:05 sglabldap slapd[1393]: = check a_dn_pat: cn=admin,dc=example,dc=com Feb 16 20:47:05 sglabldap slapd[1393]: = check a_dn_pat: anonymous Feb 16 20:47:05 sglabldap slapd[1393]: = acl_mask: [2] applying read(=rscxd) (stop) Feb 16 20:47:05 sglabldap slapd[1393]: = acl_mask: [2] mask: read(=rscxd) Feb 16 20:47:05 sglabldap slapd[1393]: = slap_access_allowed: read access granted by read(=rscxd) Feb 16 20:47:05 sglabldap slapd[1393]: = access_allowed: read access granted by read(=rscxd) Feb 16 20:47:05 sglabldap slapd[1393]: conn=1062 op=1 ENTRY dn=uid=fajar,ou=people,dc=example,dc=com Feb 16 20:47:05 sglabldap slapd[1393]: = send_search_entry: conn 1062 exit. Feb 16 20:47:05 sglabldap slapd[1393]: send_ldap_result: conn=1062 op=1 p=3 Feb 16 20:47:05 sglabldap slapd[1393]: send_ldap_result: err=0 matched= text= Feb 16 20:47:05 sglabldap slapd[1393]: send_ldap_response: msgid=2 tag=101 err=0 Feb 16 20:47:05 sglabldap slapd[1393]: conn=1062 op=1 SEARCH RESULT tag=101 err=0 nentries=1 text= Feb 16 20:47:05 sglabldap slapd[1393]: daemon: activity on 1 descriptor Feb 16 20:47:05 sglabldap slapd[1393]: daemon: activity on: Feb 16 20:47:05 sglabldap slapd[1393]: 15r In /var/log/samba/log.smbd: [2012/02/16 21:05:46, 3] smbd/negprot.c:672(reply_negprot) Selected protocol NT LANMAN 1.0 [2012/02/16 21:05:57, 3] auth/auth.c:222(check_ntlm_password) check_ntlm_password: Checking password for unmapped user [MYGROUP]\[fajar]@[SG-ROUTER0] with the new password interface [2012/02/16 21:05:57, 3] auth/auth.c:225(check_ntlm_password) check_ntlm_password: mapped user is: [LDAPCLIENT]\[fajar]@[SG-ROUTER0] [2012/02/16 21:05:57, 3] smbd/sec_ctx.c:210(push_sec_ctx) push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1 [2012/02/16 21:05:57, 2] lib/smbldap.c:890(smbldap_open_connection) smbldap_open_connection: connection opened [2012/02/16 21:05:57, 3] lib/smbldap.c:1101(smbldap_connect_system) ldap_connect_system: successful connection to the LDAP server [2012/02/16 21:05:57, 2] passdb/pdb_ldap.c:571(init_sam_from_ldap) init_sam_from_ldap: Entry found for user: fajar [2012/02/16 21:05:57, 3] smbd/sec_ctx.c:210(push_sec_ctx) push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 2 [2012/02/16 21:05:57, 3] smbd/uid.c:428(push_conn_ctx) push_conn_ctx(0) : conn_ctx_stack_ndx = 1 [2012/02/16 21:05:57, 2] passdb/pdb_ldap.c:2434(init_group_from_ldap) init_group_from_ldap: Entry found for group: 11000 [2012/02/16 21:05:57, 3] libsmb/ntlm_check.c:350(ntlm_password_check) ntlm_password_check: NT MD4 password check failed for user fajar [2012/02/16 21:05:57, 2] passdb/pdb_ldap.c:1199(init_ldap_from_sam) init_ldap_from_sam: Setting entry for user: fajar [2012/02/16 21:05:57, 3] smbd/sec_ctx.c:418(pop_sec_ctx) pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0 [2012/02/16 21:05:57, 2] auth/auth.c:320(check_ntlm_password) check_ntlm_password: Authentication for user [fajar] - [fajar] FAILED with error NT_STATUS_WRONG_PASSWORD [2012/02/16 21:05:57, 3] smbd/error.c:60(error_packet_set) error packet at smbd/sesssetup.c(122) cmd=115 (SMBsesssetupX) NT_STATUS_LOGON_FAILURE [2012/02/16 21:05:57, 3] smbd/sec_ctx.c:310(set_sec_ctx) setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0 [2012/02/16 21:05:57, 3] smbd/connection.c:31(yield_connection) Yielding connection to [2012/02/16 21:05:57, 3] smbd/server.c:849(exit_server_common) Server exit (failed to receive smb request) -- This is what's shown in syslog when doing SSH authentication: Feb 16 20:59:17 sglabldap slapd[1393]: conn=1064 op=2 do_bind Feb 16 20:59:17 sglabldap slapd[1393]: dnPrettyNormal: uid=fajar,ou=people,dc=example,dc=com Feb 16 20:59:17 sglabldap slapd[1393]: dnPrettyNormal: uid=fajar,ou=people,dc=example,dc=com, uid=fajar,ou=people,dc=example,dc=com Feb 16 20:59:17 sglabldap slapd[1393]: conn=1064 op=2 BIND dn=uid=fajar,ou=people,dc=example,dc=com method=128 Feb 16 20:59:17 sglabldap slapd[1393]: do_bind: version=3 dn=uid=fajar,ou=people,dc=example,dc=com method=128 Feb 16 20:59:17 sglabldap slapd[1393]: == hdb_bind: dn: uid=fajar,ou=people,dc=example,dc=com Feb 16 20:59:17 sglabldap slapd[1393]:
Re: [Samba] Samba LDAP passthrough authentication to another openLDAP
On Thu, 2012-02-16 at 21:10 +0800, Fajar Priyanto wrote: Hi all, I have a setup like this. Pls let me know if it's possible or not. SAMBA + Local LDAP --- SASLAUTHD -- Global LDAP No. Samba uses the sambaNTPassword attribute in it's LDAP schema which is a crypt of the password. You may be able to get plain-text authentication to work but only by adjusting Samba *and* hacking the registry on every client. Desc: I'd like to do Samba authentication to LDAP, passthrough to another LDAP using SASL. The current situation is: SSH authentication from LDAP user to that Samba box works. That doesn't involve Samba unless you are using Kerberos or something like pam_winbind / pam_smbpasswd [I don't even know which if any of those are currently 'active']. However, smb authentication doesn't work (yet). This is what's shown in syslog when doing Samba authentication: Feb 16 20:47:05 sglabldap slapd[1393]: = access_allowed: read access to uid=fajar,ou=people,dc=example,dc=com userPassword requested Looks like pam_ldap authentication to me. There may be a way to proxy authentication via LDAP [there are jillions of things you can do with LDAP] but I doubt involving saslauthd [plain text authentication] is going to work very well. -- System Network Administrator [ LPI NCLA ] http://www.whitemiceconsulting.com OpenGroupware Developer http://www.opengroupware.us Adam Tauno Williams -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Samba, ldap, password complexity, cracklib - questions
Hallo, we run a Redhat samba 3.5.4 PDC with openldap 2.4 as user/passwordbackend. The ldap also contains the posix information for the users to login to some web/mail/etc. servers. I'm faced with the task to implement a 'both worlds' compatible paswword sync process regarding complexity etc. For the posix account password we use a webfrontend, configure to use pam/cracklib checks which works fine. E.g. 'hello' is NOT allowed as password :-) Checking the password change from a windows 7 / XP notebook reveals, that there is not such a complexity check used. E.g. 'hello' IS allowed as a users password. :-( Password syncing (posix - windows) works. That means changing from the web or windows changes both ldap entries. My question: can someone point me to some docs or can someone explain how I can use (the same/a) camplexity check when changing passwords from windows? Thanks a lot and best regards . Götz -- Götz Reinicke IT-Koordinator Tel. +49 7141 969 420 Fax +49 7141 969 55 420 E-Mail goetz.reini...@filmakademie.de Filmakademie Baden-Württemberg GmbH Akademiehof 10 71638 Ludwigsburg www.filmakademie.de Eintragung Amtsgericht Stuttgart HRB 205016 Vorsitzender des Aufsichtsrats: Jürgen Walter MdL Staatssekretär im Ministerium für Wissenschaft, Forschung und Kunst Baden-Württemberg Geschäftsführer: Prof. Thomas Schadt -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba, ldap, password complexity, cracklib - questions
On Thu, 2012-02-02 at 15:00 +0100, Götz Reinicke wrote: --ms020400080806080209020400 Content-Type: text/plain; charset=ISO-8859-15 Content-Transfer-Encoding: quoted-printable Hallo, we run a Redhat samba 3.5.4 PDC with openldap 2.4 as user/passwordbackend. The ldap also contains the posix information for the users to login to some web/mail/etc. servers. I'm faced with the task to implement a 'both worlds' compatible paswword sync process regarding complexity etc. For the posix account password we use a webfrontend, configure to use pam/cracklib checks which works fine. E.g. 'hello' is NOT allowed as password :-) Checking the password change from a windows 7 / XP notebook reveals, that there is not such a complexity check used. E.g. 'hello' IS allowed as a users password. :-( Password syncing (posix - windows) works. That means changing from the web or windows changes both ldap entries. My question: can someone point me to some docs or can someone explain how I can use (the same/a) camplexity check when changing passwords from windows? check password script = /usr/local/sbin/crackcheck -c -s Not sure where I got crackcheck from; it is a compiled binary. -- System Network Administrator [ LPI NCLA ] http://www.whitemiceconsulting.com OpenGroupware Developer http://www.opengroupware.us Adam Tauno Williams -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba, ldap, password complexity, cracklib - questions
On 2012-02-02 15:08, Adam Tauno Williams wrote: check password script = /usr/local/sbin/crackcheck -c -s Not sure where I got crackcheck from; it is a compiled binary. I think you got it from the samba tar ball: https://lists.samba.org/archive/samba/2011-September/164089.html -- Message sent via my webmail account. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Samba LDAP kerberos tickets problem
Hi, I am using Samba to join AD.But have a problem with version 3.4.7 which not meet in version 3.2.5. Here is my steps: in version 3.2.5 1. set smb.conf and krb5.conf the realm to test.com; in smb.conf set use kerberos keytab = true 2. net ads join -U Administrator%Password createupn=t...@test.com createcomputer=Computers 3. net ads keytab create The three steps will have no error and all successfully, the use klist, the ldap/ds1.test@test.com ticket will available in the output. But in version 3.4.7 1. set smb.conf and krb5.conf the realm to test.com; in smb.conf kerberos method = system keytab 2. net ads join -U Administrator%Password createupn=t...@test.com createcomputer=Computers 3. net ads keytab create Step 1 and Step 2 will successfully. But when I run step 3, it ask me to input root's password, the did not happen when using version 3.2.5. Then I have to use net ads keytab create -U Administrator%Password to make it running successfully, but after this when I use klist, the ldap/ds1.test@test.com ticket does not exist. So what happens and how can I make it like the version 3.2.5 ? When I try to use net -k ads keytab create, the exit value will be -1 and when I add debug information, the error will be : ads_krb5_mk_req: krb5_get_credentials failed ( ldap/ds1.test@test.com) ( Cannot find ticket for requested realm) Can anyone help me ? Thanks very much in advance ! -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Samba/LDAP/Win7 Domain Admins could not log in
Hi, I'm running Samba 3.5.6 with OpenLDAP 2.4.23 (from Debian Squeeze) as PDC. Everything is working fine (Joining Domains, Log on Users) but I'm not able to Log in as Domain Admin. If I try to, the message Unable to log on „The User Profile Service service failed the logon. User profile cannot be loaded. (in german: Fehler bei der Anmeldung mit dem Benutzerprofildienst. Das Benutzerprofil kann nicht geladen werden.) appears. The Samba Log looks fine. If I change the user to be a normal Domain Users he can log in without problems. I've changed the following Registry-Settings in order to join the domain: [HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManWorkstation\Parameters] DNSNameResolutionRequired=dword: DomainCompatibilityMode=dword:0001 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa] LmCompatibilityLevel=dword:0001 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\MSV1_0] NtlmMinServerSec=dword: NtlmMinClientSec=dword: [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Parameters] LDAPServerIntegrity=dword:0001 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters] RestrictNTLMInDomain=dword: RequireSignOrSeal=dword:1 RequireStrongKey=dword:1 DisablePasswordChange=dword:0001 RefusePasswordChange=dword:0001 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LDAP\Parameters] LDAPClientIntegrity=dword: [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System] LocalProfile=dword:0001 This is my smb.conf: [global] workgroup = CATDOM server string = %h netbios name = PDC smb ports = 445 139 passdb backend = ldapsam:ldap://localhost passwd chat = *Enter\snew\s*\spassword:* %n\n *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* . passwd program = /usr/sbin/smbldap-passwd %u log level = 5 log file = /var/log/samba/samba.log max log size = 1000 time server = Yes add machine script = /usr/sbin/smbldap-useradd -t 0 -w %u logon script = scripts/logon.bat logon path = logon drive = domain logons = Yes domain master = Yes os level = 210 preferred master = Yes ldap admin dn = cn=admin,dc=ldap,dc=local ldap group suffix = ou=Groups ldap machine suffix = ou=Machines ldap user suffix = ou=People ldap suffix = dc=ldap,dc=local ldap passwd sync = yes ldap ssl = no panic action = /usr/share/samba/panic-action %d create mask = 0775 force create mode = 0775 directory mask = 0775 force directory mode = 0775 veto files = /.AppleDB/.AppleDouble/.AppleDesktop/:2eDS_Store/Network Trash Folder/Temporary Items/TheVolumeSettingsFolder/.@__thumb/.@__desc/:2e*/ delete veto files = yes server signing = disabled encrypt passwords = true password server = * wins support = true local master = yes guest account = nobody map to guest = Bad User dns proxy = no panic action = /usr/share/samba/panic-action %d socket options = TCP_NODELAY SO_KEEPALIVE SO_SNDBUF=65536 SO_RCVBUF=65536 lanman auth = yes client ntlmv2 auth = yes [netlogon] comment = Network Logon Service path = /home/samba/netlogon valid users = %U admin users = root browseable = No Any ideas? Regards, Denis Witt -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba/LDAP/Win7 Domain Admins could not log in
The Samba wiki page related to the use of Windows 7 with Samba contains the following statements: « There are currently two registry settings required to be added on the Windows 7 client prior to joining a Samba Domain. These are: HKLM\System\CCS\Services\LanmanWorkstation\Parameters DWORD DomainCompatibilityMode = 1 DWORD DNSNameResolutionRequired = 0 » AND: « Do *not* edit any other registry parameters (NETLOGON) that have been seen in the wild. If you have already modified your Windows 7 registry, please make sure to reset the keys to their default values. If you have changed the NETLOGON Parameters, make sure and turn them back to '1' as shown below: » The quoted page resides here: http://wiki.samba.org/index.php/Windows7 -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Samba - Ldap InetOrgPerson
I don't know if I should post this here or in the samba bugzilla but here goes... I am trying to get samba-ldap (editposix) to use the Inetorgperson schema so that I can setup a samba domain using our existing ldap directory. Our websites users are held in a LDAP directory that has user info stored in the Intetorgperson schema where user names are in cn=Username but smba-ldap users are stored in the 'account' schema as uid=Username. I think these patches https://bugzilla.samba.org/show_bug.cgi?id=4597 will change samba to use the InetOrgPerson schema so have built Samba-ldap from the OpenBSD ports tree along with the two included patches. I've read about the patches and have had a look at them but don't realy understand how they work and whether I need to modify the patches to enable the correct schema but have blindly started up samba and my ldap server and have run the net sam provision command to populate the directory but the users are still have uid= and not cn= The ldap server that I am using with samba doesn't actually have the inetorgperson schema in it yet as I haven't been able to figure out how to get a working tree structure setup that contains InetOrgPerson schema. I was hoping that as because I have applied the patches that the net sam provision command would fail as the schema was wrong but as it's not I am wondering if the patches have worked. Can anyone give me some advice on what I could try next ? Thanks Keith -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba + LDAP + SMBLDAP-Tools + Roaming Profiles
Am 04.08.2011 12:09, schrieb J. Echter: Am 03.08.2011 18:43, schrieb TAKAHASHI Motonobu: From: J. Echterj.ech...@elektro-mayer-echter.de Date: Tue, 02 Aug 2011 14:12:05 +0200 I thought im done setting domain to WORKGROUP, as its set in smbldap.conf. I don't get why smbldap tools thinks im on a domain called BDC. Would it help if i post some output from pdbedit or stuff like that? I really don't get where this error comes from. Have you set the SID same as PDC on BDC? For example - bdc# net rpc getsid Storing SID S-1-5-21-2535719703-1779805756-2758924810 for Domain DomanName in secrets.tdb - Remembet that before running the command, you have to set smb.conf correctly as BDC. here's the conf of my testing smb machine: [global] domain master = no domain logons = no passdb backend = ldapsam:ldap://mule idmap backend = ldap:ldap://mule idmap uid = 1-15000 idmap gid = 1-15000 You have to set domain logons = yes to make this machine act as BDC. And are you running Winbind? If not, idmap backend/uid/gid does not mean anything. there's something wrong with my config... the successful logins are only able because the users are already there as local unix accounts. i created a new user 'test' and this one can't even login. Have you correctly set nss-ldap on BDC? For example /etc/nss_ldap.conf getent passwda-user-created-on-PDC on BDC shows his entry? --- TAKAHASHI Motonobumo...@samba.gr.jp ok, im sorry. im stupid. i overlooked that i disabled domain logons... now its showing the right domain with pdbedit -v thanks a lot. now im trying to logon again... cheers. so, i now have nsswitch, ldap and samba working... almost :) i added an test user, and created a testshare with valid users = test pdbedit -v test (all on bdc, users created on pdc) Unix username:test NT username: test Account Flags:[U ] User SID: S-1-5-21-3842863818-2180709222-141296495-3178 Primary Group SID:S-1-5-21-3842863818-2180709222-141296495-513 Full Name:test Home Directory: \\mule\test HomeDir Drive:H: Logon Script: test.bat Profile Path: \\mule\profile\test Domain: WORKGROUP Account desc: Workstations: Munged dial: Logon time: 0 Logoff time: never Kickoff time: never Password last set:Fr, 05 Aug 2011 08:49:26 CEST Password can change: Fr, 05 Aug 2011 08:49:26 CEST Password must change: never Last bad password : 0 Bad password count : 0 Logon hours : FF getent passwd: test:x:1089:513:System User:/home/test:/bin/false getent group: Domain Admins:*:512:Administrator Domain Users:*:513: Domain Guests:*:514: Domain Computers:*:515: if i try to access the share, windows xp keeps asking for my password. /var/log/samba/log.smbd tells me: pdb_get_group_sid: Failed to find Unix account for test [2011/08/05 09:44:02, 0] auth/auth_sam.c:355(check_sam_security) check_sam_security: make_server_info_sam() failed with 'NT_STATUS_NO_SUCH_USER' whats wrong now? thanks for helping me. still lost. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba + LDAP + SMBLDAP-Tools + Roaming Profiles
Am 03.08.2011 18:43, schrieb TAKAHASHI Motonobu: net rpc getsid hi, yes i did this step and just repeated it to be sure. sudo net rpc getsid bdc: [sudo] password for bdc: Storing SID S-1-5-21-3842863818-2180709222-141296495 for Domain WORKGROUP in secrets.tdb pdc: sudo smbldap-useradd -a test bdc: pdbedit -v test Unix username:test NT username: test Account Flags:[UX ] User SID: S-1-5-21-3842863818-2180709222-141296495-3174 Primary Group SID:(NULL SID) Full Name:test Home Directory: \\pdc\test HomeDir Drive:H: Logon Script: test.bat Profile Path: \\pdc\profiles\test Domain: BDC Account desc: Workstations: Munged dial: Logon time: 0 Logoff time: never Kickoff time: never Password last set:0 Password can change: 0 Password must change: 0 Last bad password : 0 Bad password count : 0 Logon hours : FF im completely lost, as you surely mentioned :) greetings and thanks juergen. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba + LDAP + SMBLDAP-Tools + Roaming Profiles
Am 03.08.2011 18:43, schrieb TAKAHASHI Motonobu: From: J. Echterj.ech...@elektro-mayer-echter.de Date: Tue, 02 Aug 2011 14:12:05 +0200 I thought im done setting domain to WORKGROUP, as its set in smbldap.conf. I don't get why smbldap tools thinks im on a domain called BDC. Would it help if i post some output from pdbedit or stuff like that? I really don't get where this error comes from. Have you set the SID same as PDC on BDC? For example - bdc# net rpc getsid Storing SID S-1-5-21-2535719703-1779805756-2758924810 for Domain DomanName in secrets.tdb - Remembet that before running the command, you have to set smb.conf correctly as BDC. here's the conf of my testing smb machine: [global] domain master = no domain logons = no passdb backend = ldapsam:ldap://mule idmap backend = ldap:ldap://mule idmap uid = 1-15000 idmap gid = 1-15000 You have to set domain logons = yes to make this machine act as BDC. And are you running Winbind? If not, idmap backend/uid/gid does not mean anything. there's something wrong with my config... the successful logins are only able because the users are already there as local unix accounts. i created a new user 'test' and this one can't even login. Have you correctly set nss-ldap on BDC? For example /etc/nss_ldap.conf getent passwda-user-created-on-PDC on BDC shows his entry? --- TAKAHASHI Motonobumo...@samba.gr.jp ok, im sorry. im stupid. i overlooked that i disabled domain logons... now its showing the right domain with pdbedit -v thanks a lot. now im trying to logon again... cheers. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba + LDAP + SMBLDAP-Tools + Roaming Profiles
Am 02.08.2011 14:54, schrieb J. Echter: Am 02.08.2011 14:40, schrieb Julien Celle: Le 02/08/2011 14:22, J. Echter a écrit : Am 02.08.2011 14:06, schrieb Julien Celle: pdbedit output indicates that the profile is stored on '\\pdc...' and that the user is defined on the domain 'BDC'. oh i forgot, profiles are on \\pdc. cheers. Hi, There may be a problem trying to access your profiles on \\pdc while authenticating against \\bdc. Your users try to access a share without giving your PDC credentials it can validate. Try moving your profile for your user test to \\bdc\profile... You could also post your whole smb.conf for your BDC. Cheers, Julien. first both of my configs... BDC: [global] domain master = no domain logons = yes passdb backend = ldapsam:ldap://mule idmap backend = ldap:ldap://mule idmap uid = 1-15000 idmap gid = 1-15000 ldap suffix = dc=workgroup,dc=local ldap user suffix = ou=smb-usr ldap group suffix = ou=groups ldap machine suffix = ou=computers ldap idmap suffix = ou=idmap ldap admin dn = cn=admin,dc=workgroup,dc=local ldap ssl = no ldap passwd sync = yes printing = bsd netbios name = BDC server string = BDC (%h) workgroup = workgroup interfaces = eth0,lo security = user encrypt passwords = true map to guest = bad user guest account = nobody logon path = \\pdc\profile\%U logon script = %U.bat logon drive = H: panic action = /usr/share/samba/panic-action %d PDC: [global] printing = bsd netbios name = PDC server string = PDC (%h) workgroup = workgroup interfaces = eth0,lo security = user encrypt passwords = true map to guest = bad user guest account = nobody ## LDAP passdb backend = ldapsam:ldap://127.0.0.1 idmap backend = ldap:ldap://127.0.0.1 idmap uid = 1-15000 idmap gid = 1-15000 ldap suffix = dc=workgroup,dc=local ldap user suffix = ou=smb-usr ldap group suffix = ou=groups ldap machine suffix = ou=computers ldap idmap suffix = ou=idmap ldap admin dn = cn=admin,dc=workgroup,dc=local ldap ssl = no ldap passwd sync = yes add machine script = /usr/sbin/smbldap-useradd -t 0 -w %u add user script = /usr/sbin/smbldap-useradd -a '%u' delete user script = /usr/sbin/smbldap-userdel %u add group script = /usr/sbin/smbldap-groupadd -a '%g' delete group script = /usr/sbin/smbldap-groupdel '%g' add user to group script = /usr/sbin/smbldap-groupmod -m '%u' '%g' delete user from group script = /usr/sbin/smbldap-groupmod -x '%u' '%g' set primary group script = /usr/sbin/smbldap-usermod -g '%g' '%u' local master = yes preferred master = yes domain master = yes domain logons = yes logon path = \\pdc\profile\%U logon script = %U.bat logon drive = H: panic action = /usr/share/samba/panic-action %d atm i have domain logons = no, to avoid negative interaction with my running pdc. hope this helps. ok, what i know now :) there get's a second domain added to ldap directory if i, for example, add an user on pdc and do a pdbedit -v an-user i have a second SambaDomainName in my ldap tree. This one is called the same as my bdc is configured in its smb.conf. is it forbidden to name the server bdc or similar? i have set workgroup = workgroup in smb.conf on pdc and bdc. im lost with this... thanks juergen -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba + LDAP + SMBLDAP-Tools + Roaming Profiles
From: J. Echter j.ech...@elektro-mayer-echter.de Date: Tue, 02 Aug 2011 14:12:05 +0200 I thought im done setting domain to WORKGROUP, as its set in smbldap.conf. I don't get why smbldap tools thinks im on a domain called BDC. Would it help if i post some output from pdbedit or stuff like that? I really don't get where this error comes from. Have you set the SID same as PDC on BDC? For example - bdc# net rpc getsid Storing SID S-1-5-21-2535719703-1779805756-2758924810 for Domain DomanName in secrets.tdb - Remembet that before running the command, you have to set smb.conf correctly as BDC. here's the conf of my testing smb machine: [global] domain master = no domain logons = no passdb backend = ldapsam:ldap://mule idmap backend = ldap:ldap://mule idmap uid = 1-15000 idmap gid = 1-15000 You have to set domain logons = yes to make this machine act as BDC. And are you running Winbind? If not, idmap backend/uid/gid does not mean anything. there's something wrong with my config... the successful logins are only able because the users are already there as local unix accounts. i created a new user 'test' and this one can't even login. Have you correctly set nss-ldap on BDC? For example /etc/nss_ldap.conf getent passwd a-user-created-on-PDC on BDC shows his entry? --- TAKAHASHI Motonobu mo...@samba.gr.jp -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba + LDAP + SMBLDAP-Tools + Roaming Profiles
Am 25.07.2011 14:38, schrieb J. Echter: Am 22.07.2011 17:48, schrieb TAKAHASHI Motonobu: From: J. Echterj.ech...@elektro-mayer-echter.de Date: Thu, 21 Jul 2011 08:51:25 +0200 Am 20.07.2011 18:08, schrieb TAKAHASHI Motonobu: hi, tried all your hints. still now profiles found... H... My testing environment is available at ftp://ftp.ring.gr.jp/pub/net/samba-jp/vmware_player_images/sambapdc-squeeze-20110713.zip In this environment, 1) # chmod 1777 /var/lib/samba/shares/profiles 2) changing hide files and profiles acls same as yours 3) # pdbedit -p \\sambapdc\profiles\username username 4) Logging on as the user, roaming profiles is successfully created. I'm using ldapsam:editposix instead of smbldap-tools, so this may not help you... --- TAKAHASHI Motonobumo...@samba.gr.jp Hi, there's something wrong with my config... the successful logins are only able because the users are already there as local unix accounts. i created a new user 'test' and this one can't even login. something with nsswitch seems configured wrong, imho. i get an error like 'no unix account found'. i will post the details about that later, i have to wait till i can switch the smb.conf again. cheers juergen. hi, i'm back :) but still the old problem. i have my tdbsam server running, i set up another samba server, without domain logons. i added a user 'test' to my ldap db. i added this user on the main pdc with smbldap-useradd sudo pdbedit -v test on my new test machine tells me: Unix username:test NT username: test Account Flags:[U ] User SID: S-1-5-21-3842863818-2180709222-141296495-3166 Primary Group SID:(NULL SID) Full Name:test Home Directory: \\pdc\test HomeDir Drive:H: Logon Script: test.bat Profile Path: \\pdc\profiles\test Domain: BDC Account desc: Workstations: Munged dial: Logon time: 0 Logoff time: never Kickoff time: never Password last set:Fr, 22 Jul 2011 23:33:55 CEST Password can change: Fr, 22 Jul 2011 23:33:55 CEST Password must change: never Last bad password : 0 Bad password count : 0 Logon hours : FF i wonder because my domain is called workgroup, not bdc. BDC is the name of the machine, not the domain. if im using this user to logon, it isn't found. phpldapadmin also shows a line like: sambaDomainName=BDC http://192.168.0.200/phpldapadmin/cmd.php?cmd=template_engineserver_id=1dn=sambaDomainName%3DBDC%2Cdc%3Dworkgroup%2Cdc%3Dlocal sambaDomainName=workgroup http://192.168.0.200/phpldapadmin/cmd.php?cmd=template_engineserver_id=1dn=sambaDomainName%3Dworkgroup%2Cdc%3Dworkgroup%2Cdc%3Dlocal here's the conf of my testing smb machine: [global] domain master = no domain logons = no passdb backend = ldapsam:ldap://mule idmap backend = ldap:ldap://mule idmap uid = 1-15000 idmap gid = 1-15000 ldap suffix = dc=workgroup,dc=local ldap user suffix = ou=smb-usr ldap group suffix = ou=groups ldap machine suffix = ou=computers ldap idmap suffix = ou=idmap ldap admin dn = cn=admin,dc=workgroup,dc=local ldap ssl = no ldap passwd sync = yes printing = bsd netbios name = BDC server string = BDC (%h) workgroup = workgroup interfaces = eth0,lo security = user encrypt passwords = true map to guest = bad user guest account = nobody logon path = \\pdc\profile\%U logon script = %U.bat logon drive = H: panic action = /usr/share/samba/panic-action %d my smbldap config is the following: sambaDomain=workgroup suffix=dc=workgroup,dc=local userProfile=\\pdc\profiles\%U nsswitch.conf: passwd: files ldap shadow: files ldap group: files ldap hosts: files wins dns networks: files dns protocols: db files services: db files ethers: db files rpc:db files netgroup: nis i hope somebody can tell me whats going on. i'm completely lost since a while :) thanks a nice day to all. juergen. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba + LDAP + SMBLDAP-Tools + Roaming Profiles
First of all, there is a problem between your samba conf and the output of pdbedit : your server netbios name is defined in your smb.conf as 'BDC' and your workgroup/domain as 'workgroup' whereas the pdbedit output indicates that the profile is stored on '\\pdc...' and that the user is defined on the domain 'BDC'. Setting those correctly to the same values should help. Le 02/08/2011 13:08, J. Echter a écrit : Am 25.07.2011 14:38, schrieb J. Echter: Am 22.07.2011 17:48, schrieb TAKAHASHI Motonobu: From: J. Echterj.ech...@elektro-mayer-echter.de Date: Thu, 21 Jul 2011 08:51:25 +0200 Am 20.07.2011 18:08, schrieb TAKAHASHI Motonobu: hi, tried all your hints. still now profiles found... H... My testing environment is available at ftp://ftp.ring.gr.jp/pub/net/samba-jp/vmware_player_images/sambapdc-squeeze-20110713.zip In this environment, 1) # chmod 1777 /var/lib/samba/shares/profiles 2) changing hide files and profiles acls same as yours 3) # pdbedit -p \\sambapdc\profiles\username username 4) Logging on as the user, roaming profiles is successfully created. I'm using ldapsam:editposix instead of smbldap-tools, so this may not help you... --- TAKAHASHI Motonobumo...@samba.gr.jp Hi, there's something wrong with my config... the successful logins are only able because the users are already there as local unix accounts. i created a new user 'test' and this one can't even login. something with nsswitch seems configured wrong, imho. i get an error like 'no unix account found'. i will post the details about that later, i have to wait till i can switch the smb.conf again. cheers juergen. hi, i'm back :) but still the old problem. i have my tdbsam server running, i set up another samba server, without domain logons. i added a user 'test' to my ldap db. i added this user on the main pdc with smbldap-useradd sudo pdbedit -v test on my new test machine tells me: Unix username: test NT username: test Account Flags: [U ] User SID: S-1-5-21-3842863818-2180709222-141296495-3166 Primary Group SID: (NULL SID) Full Name: test Home Directory: \\pdc\test HomeDir Drive: H: Logon Script: test.bat Profile Path: \\pdc\profiles\test Domain: BDC Account desc: Workstations: Munged dial: Logon time: 0 Logoff time: never Kickoff time: never Password last set: Fr, 22 Jul 2011 23:33:55 CEST Password can change: Fr, 22 Jul 2011 23:33:55 CEST Password must change: never Last bad password : 0 Bad password count : 0 Logon hours : FF i wonder because my domain is called workgroup, not bdc. BDC is the name of the machine, not the domain. if im using this user to logon, it isn't found. phpldapadmin also shows a line like: sambaDomainName=BDC http://192.168.0.200/phpldapadmin/cmd.php?cmd=template_engineserver_id=1dn=sambaDomainName%3DBDC%2Cdc%3Dworkgroup%2Cdc%3Dlocal sambaDomainName=workgroup http://192.168.0.200/phpldapadmin/cmd.php?cmd=template_engineserver_id=1dn=sambaDomainName%3Dworkgroup%2Cdc%3Dworkgroup%2Cdc%3Dlocal here's the conf of my testing smb machine: [global] domain master = no domain logons = no passdb backend = ldapsam:ldap://mule idmap backend = ldap:ldap://mule idmap uid = 1-15000 idmap gid = 1-15000 ldap suffix = dc=workgroup,dc=local ldap user suffix = ou=smb-usr ldap group suffix = ou=groups ldap machine suffix = ou=computers ldap idmap suffix = ou=idmap ldap admin dn = cn=admin,dc=workgroup,dc=local ldap ssl = no ldap passwd sync = yes printing = bsd netbios name = BDC server string = BDC (%h) workgroup = workgroup interfaces = eth0,lo security = user encrypt passwords = true map to guest = bad user guest account = nobody logon path = \\pdc\profile\%U logon script = %U.bat logon drive = H: panic action = /usr/share/samba/panic-action %d my smbldap config is the following: sambaDomain=workgroup suffix=dc=workgroup,dc=local userProfile=\\pdc\profiles\%U nsswitch.conf: passwd: files ldap shadow: files ldap group: files ldap hosts: files wins dns networks: files dns protocols: db files services: db files ethers: db files rpc: db files netgroup: nis i hope somebody can tell me whats going on. i'm completely lost since a while :) thanks a nice day to all. juergen. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba + LDAP + SMBLDAP-Tools + Roaming Profiles
Am 02.08.2011 14:06, schrieb Julien Celle: First of all, there is a problem between your samba conf and the output of pdbedit : your server netbios name is defined in your smb.conf as 'BDC' and your workgroup/domain as 'workgroup' whereas the pdbedit output indicates that the profile is stored on '\\pdc...' and that the user is defined on the domain 'BDC'. Setting those correctly to the same values should help. Le 02/08/2011 13:08, J. Echter a écrit : Am 25.07.2011 14:38, schrieb J. Echter: Am 22.07.2011 17:48, schrieb TAKAHASHI Motonobu: From: J. Echterj.ech...@elektro-mayer-echter.de Date: Thu, 21 Jul 2011 08:51:25 +0200 Am 20.07.2011 18:08, schrieb TAKAHASHI Motonobu: hi, tried all your hints. still now profiles found... H... My testing environment is available at ftp://ftp.ring.gr.jp/pub/net/samba-jp/vmware_player_images/sambapdc-squeeze-20110713.zip In this environment, 1) # chmod 1777 /var/lib/samba/shares/profiles 2) changing hide files and profiles acls same as yours 3) # pdbedit -p \\sambapdc\profiles\username username 4) Logging on as the user, roaming profiles is successfully created. I'm using ldapsam:editposix instead of smbldap-tools, so this may not help you... --- TAKAHASHI Motonobumo...@samba.gr.jp Hi, there's something wrong with my config... the successful logins are only able because the users are already there as local unix accounts. i created a new user 'test' and this one can't even login. something with nsswitch seems configured wrong, imho. i get an error like 'no unix account found'. i will post the details about that later, i have to wait till i can switch the smb.conf again. cheers juergen. hi, i'm back :) but still the old problem. i have my tdbsam server running, i set up another samba server, without domain logons. i added a user 'test' to my ldap db. i added this user on the main pdc with smbldap-useradd sudo pdbedit -v test on my new test machine tells me: Unix username: test NT username: test Account Flags: [U ] User SID: S-1-5-21-3842863818-2180709222-141296495-3166 Primary Group SID: (NULL SID) Full Name: test Home Directory: \\pdc\test HomeDir Drive: H: Logon Script: test.bat Profile Path: \\pdc\profiles\test Domain: BDC Account desc: Workstations: Munged dial: Logon time: 0 Logoff time: never Kickoff time: never Password last set: Fr, 22 Jul 2011 23:33:55 CEST Password can change: Fr, 22 Jul 2011 23:33:55 CEST Password must change: never Last bad password : 0 Bad password count : 0 Logon hours : FF i wonder because my domain is called workgroup, not bdc. BDC is the name of the machine, not the domain. if im using this user to logon, it isn't found. phpldapadmin also shows a line like: sambaDomainName=BDC http://192.168.0.200/phpldapadmin/cmd.php?cmd=template_engineserver_id=1dn=sambaDomainName%3DBDC%2Cdc%3Dworkgroup%2Cdc%3Dlocal sambaDomainName=workgroup http://192.168.0.200/phpldapadmin/cmd.php?cmd=template_engineserver_id=1dn=sambaDomainName%3Dworkgroup%2Cdc%3Dworkgroup%2Cdc%3Dlocal here's the conf of my testing smb machine: [global] domain master = no domain logons = no passdb backend = ldapsam:ldap://mule idmap backend = ldap:ldap://mule idmap uid = 1-15000 idmap gid = 1-15000 ldap suffix = dc=workgroup,dc=local ldap user suffix = ou=smb-usr ldap group suffix = ou=groups ldap machine suffix = ou=computers ldap idmap suffix = ou=idmap ldap admin dn = cn=admin,dc=workgroup,dc=local ldap ssl = no ldap passwd sync = yes printing = bsd netbios name = BDC server string = BDC (%h) workgroup = workgroup interfaces = eth0,lo security = user encrypt passwords = true map to guest = bad user guest account = nobody logon path = \\pdc\profile\%U logon script = %U.bat logon drive = H: panic action = /usr/share/samba/panic-action %d my smbldap config is the following: sambaDomain=workgroup suffix=dc=workgroup,dc=local userProfile=\\pdc\profiles\%U nsswitch.conf: passwd: files ldap shadow: files ldap group: files ldap hosts: files wins dns networks: files dns protocols: db files services: db files ethers: db files rpc: db files netgroup: nis i hope somebody can tell me whats going on. i'm completely lost since a while :) thanks a nice day to all. juergen. Hi, my PDC has netbios name PDC and domain WORKGROUP, this one works (but not with LDAP) i setup this box called BDC (i want to integrate it as BDC later on) I thought im done setting domain to WORKGROUP, as its set in smbldap.conf. I don't get why smbldap tools thinks im on a domain called BDC. Would it help if i post some output from pdbedit or stuff like that? I really don't get where this error comes from. thanks for helping greetings juergen. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba + LDAP + SMBLDAP-Tools + Roaming Profiles
Am 02.08.2011 14:06, schrieb Julien Celle: pdbedit output indicates that the profile is stored on '\\pdc...' and that the user is defined on the domain 'BDC'. oh i forgot, profiles are on \\pdc. cheers. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba + LDAP + SMBLDAP-Tools + Roaming Profiles
Le 02/08/2011 14:22, J. Echter a écrit : Am 02.08.2011 14:06, schrieb Julien Celle: pdbedit output indicates that the profile is stored on '\\pdc...' and that the user is defined on the domain 'BDC'. oh i forgot, profiles are on \\pdc. cheers. Hi, There may be a problem trying to access your profiles on \\pdc while authenticating against \\bdc. Your users try to access a share without giving your PDC credentials it can validate. Try moving your profile for your user test to \\bdc\profile... You could also post your whole smb.conf for your BDC. Cheers, Julien. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba + LDAP + SMBLDAP-Tools + Roaming Profiles
Am 02.08.2011 14:40, schrieb Julien Celle: Le 02/08/2011 14:22, J. Echter a écrit : Am 02.08.2011 14:06, schrieb Julien Celle: pdbedit output indicates that the profile is stored on '\\pdc...' and that the user is defined on the domain 'BDC'. oh i forgot, profiles are on \\pdc. cheers. Hi, There may be a problem trying to access your profiles on \\pdc while authenticating against \\bdc. Your users try to access a share without giving your PDC credentials it can validate. Try moving your profile for your user test to \\bdc\profile... You could also post your whole smb.conf for your BDC. Cheers, Julien. first both of my configs... BDC: [global] domain master = no domain logons = yes passdb backend = ldapsam:ldap://mule idmap backend = ldap:ldap://mule idmap uid = 1-15000 idmap gid = 1-15000 ldap suffix = dc=workgroup,dc=local ldap user suffix = ou=smb-usr ldap group suffix = ou=groups ldap machine suffix = ou=computers ldap idmap suffix = ou=idmap ldap admin dn = cn=admin,dc=workgroup,dc=local ldap ssl = no ldap passwd sync = yes printing = bsd netbios name = BDC server string = BDC (%h) workgroup = workgroup interfaces = eth0,lo security = user encrypt passwords = true map to guest = bad user guest account = nobody logon path = \\pdc\profile\%U logon script = %U.bat logon drive = H: panic action = /usr/share/samba/panic-action %d PDC: [global] printing = bsd netbios name = PDC server string = PDC (%h) workgroup = workgroup interfaces = eth0,lo security = user encrypt passwords = true map to guest = bad user guest account = nobody ## LDAP passdb backend = ldapsam:ldap://127.0.0.1 idmap backend = ldap:ldap://127.0.0.1 idmap uid = 1-15000 idmap gid = 1-15000 ldap suffix = dc=workgroup,dc=local ldap user suffix = ou=smb-usr ldap group suffix = ou=groups ldap machine suffix = ou=computers ldap idmap suffix = ou=idmap ldap admin dn = cn=admin,dc=workgroup,dc=local ldap ssl = no ldap passwd sync = yes add machine script = /usr/sbin/smbldap-useradd -t 0 -w %u add user script = /usr/sbin/smbldap-useradd -a '%u' delete user script = /usr/sbin/smbldap-userdel %u add group script = /usr/sbin/smbldap-groupadd -a '%g' delete group script = /usr/sbin/smbldap-groupdel '%g' add user to group script = /usr/sbin/smbldap-groupmod -m '%u' '%g' delete user from group script = /usr/sbin/smbldap-groupmod -x '%u' '%g' set primary group script = /usr/sbin/smbldap-usermod -g '%g' '%u' local master = yes preferred master = yes domain master = yes domain logons = yes logon path = \\pdc\profile\%U logon script = %U.bat logon drive = H: panic action = /usr/share/samba/panic-action %d atm i have domain logons = no, to avoid negative interaction with my running pdc. hope this helps. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba + LDAP + SMBLDAP-Tools + Roaming Profiles
Am 22.07.2011 17:48, schrieb TAKAHASHI Motonobu: From: J. Echter j.ech...@elektro-mayer-echter.de Date: Thu, 21 Jul 2011 08:51:25 +0200 Am 20.07.2011 18:08, schrieb TAKAHASHI Motonobu: hi, tried all your hints. still now profiles found... H... My testing environment is available at ftp://ftp.ring.gr.jp/pub/net/samba-jp/vmware_player_images/sambapdc-squeeze-20110713.zip In this environment, 1) # chmod 1777 /var/lib/samba/shares/profiles 2) changing hide files and profiles acls same as yours 3) # pdbedit -p \\sambapdc\profiles\username username 4) Logging on as the user, roaming profiles is successfully created. I'm using ldapsam:editposix instead of smbldap-tools, so this may not help you... --- TAKAHASHI Motonobu mo...@samba.gr.jp Hi, there's something wrong with my config... the successful logins are only able because the users are already there as local unix accounts. i created a new user 'test' and this one can't even login. something with nsswitch seems configured wrong, imho. i get an error like 'no unix account found'. i will post the details about that later, i have to wait till i can switch the smb.conf again. cheers juergen. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba + LDAP + SMBLDAP-Tools + Roaming Profiles
From: J. Echter j.ech...@elektro-mayer-echter.de Date: Thu, 21 Jul 2011 08:51:25 +0200 Am 20.07.2011 18:08, schrieb TAKAHASHI Motonobu: hi, tried all your hints. still now profiles found... H... My testing environment is available at ftp://ftp.ring.gr.jp/pub/net/samba-jp/vmware_player_images/sambapdc-squeeze-20110713.zip In this environment, 1) # chmod 1777 /var/lib/samba/shares/profiles 2) changing hide files and profiles acls same as yours 3) # pdbedit -p \\sambapdc\profiles\username username 4) Logging on as the user, roaming profiles is successfully created. I'm using ldapsam:editposix instead of smbldap-tools, so this may not help you... --- TAKAHASHI Motonobu mo...@samba.gr.jp -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba + LDAP + SMBLDAP-Tools + Roaming Profiles
Am 20.07.2011 18:08, schrieb TAKAHASHI Motonobu: From: J. Echterj.ech...@elektro-mayer-echter.de Date: Wed, 20 Jul 2011 17:58:34 +0200 i've finally have my LDAP backend working for authentication for my DC. Logon scripts are executed, user is authenticated, but my roaming profiles are not found. here is what i have in my config files: (snip) hide files = /desktop.ini/ntuser.ini/NTUSER.*/Thumbs.db/ Try to comment this line. [profile] path = /bacula/samba/profile This path has valid permission? guest ok = yes Try to remove guest ok line. And actually pdbedit -v a-user shows valid profile path? --- TAKAHASHI Motonobumo...@monyo.com hi, tried all your hints. still now profiles found... -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba + LDAP + SMBLDAP-Tools + Roaming Profiles
Hai, a working profile share.. [profiles] path = /bacula/samba/profile comment = Profiel enviroment. read only = no create mask = 0600 directory mask = 0700 browseable = Yes guest ok = Yes csc policy = disable force user = %U # next line allows administrator to access all profiles valid users = %U @Domain Admins good luck. -Oorspronkelijk bericht- Van: j.ech...@elektro-mayer-echter.de [mailto:samba-boun...@lists.samba.org] Namens J. Echter Verzonden: 2011-07-20 18:21 Aan: samba@lists.samba.org Onderwerp: Re: [Samba] Samba + LDAP + SMBLDAP-Tools + Roaming Profiles Am 20.07.2011 18:08, schrieb TAKAHASHI Motonobu: [profile] path = /bacula/samba/profile This path has valid permission? drwxrwxrwt 21 root root 4096 Jul 7 09:48 profile And actually pdbedit -v a-user shows valid profile path? pdbedit -v klaudia Full Name:klaudia Home Directory: \\pdc\klaudia HomeDir Drive:H: Logon Script: klaudia.bat Profile Path: \\pdc\profile\klaudia Domain: WORKGROUP cheers juergen -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba + LDAP + SMBLDAP-Tools + Roaming Profiles
Am 21.07.2011 11:33, schrieb L.P.H. van Belle: Hai, a working profile share.. [profiles] path = /bacula/samba/profile comment = Profiel enviroment. read only = no create mask = 0600 directory mask = 0700 browseable = Yes guest ok = Yes csc policy = disable force user = %U # next line allows administrator to access all profiles valid users = %U @Domain Admins good luck. i'll try with this one and will report back. thanks juergen -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Samba + LDAP + SMBLDAP-Tools + Roaming Profiles
Hi, i've finally have my LDAP backend working for authentication for my DC. Logon scripts are executed, user is authenticated, but my roaming profiles are not found. here is what i have in my config files: smb.conf [global] printing = bsd netbios name = PDC server string = PDC (%h) workgroup = workgroup interfaces = eth0,lo security = user encrypt passwords = true map to guest = bad user guest account = nobody ## LDAP passdb backend = ldapsam:ldap://127.0.0.1 idmap backend = ldap:ldap://127.0.0.1 idmap uid = 1-15000 idmap gid = 1-15000 ldap suffix = dc=workgroup,dc=local ldap user suffix = ou=smb-usr ldap group suffix = ou=groups ldap machine suffix = ou=computers ldap idmap suffix = ou=idmap ldap admin dn = cn=admin,dc=workgroup,dc=local ldap ssl = no ldap passwd sync = yes add machine script = /usr/sbin/smbldap-useradd -t 0 -w %u add user script = /usr/sbin/smbldap-useradd -a '%u' delete user script = /usr/sbin/smbldap-userdel %u add group script = /usr/sbin/smbldap-groupadd -a '%g' delete group script = /usr/sbin/smbldap-groupdel '%g' add user to group script = /usr/sbin/smbldap-groupmod -m '%u' '%g' delete user from group script = /usr/sbin/smbldap-groupmod -x '%u' '%g' set primary group script = /usr/sbin/smbldap-usermod -g '%g' '%u' local master = yes preferred master = yes domain master = yes domain logons = yes logon path = \\%L\profile\%U logon script = %U.bat logon drive = H: hide files = /desktop.ini/ntuser.ini/NTUSER.*/Thumbs.db/ panic action = /usr/share/samba/panic-action %d #=== Share Definitions === [homes] comment = Home Directories browseable = no writeable = yes [profile] comment = Profildateien path = /bacula/samba/profile guest ok = yes browseable = no create mask = 0600 directory mask = 0700 writeable = yes profile acls = yes [netlogon] comment = Network Logon Service path = /bacula/samba/netlogon guest ok = yes writeable = no share modes = no browseable = no smbldap.conf userHome=/home/%U (also tried \\pdc\%U) userSmbHome=\\pdc\%U userProfile=\\pdc\profile\%U userHomeDrive=H: userScript=%U.bat what is it what i am overlooking? many thanks and greets juergen -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba + LDAP + SMBLDAP-Tools + Roaming Profiles
From: J. Echter j.ech...@elektro-mayer-echter.de Date: Wed, 20 Jul 2011 17:58:34 +0200 i've finally have my LDAP backend working for authentication for my DC. Logon scripts are executed, user is authenticated, but my roaming profiles are not found. here is what i have in my config files: (snip) hide files = /desktop.ini/ntuser.ini/NTUSER.*/Thumbs.db/ Try to comment this line. [profile] path = /bacula/samba/profile This path has valid permission? guest ok = yes Try to remove guest ok line. And actually pdbedit -v a-user shows valid profile path? --- TAKAHASHI Motonobu mo...@monyo.com -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba + LDAP + SMBLDAP-Tools + Roaming Profiles
Am 20.07.2011 18:08, schrieb TAKAHASHI Motonobu: [profile] path = /bacula/samba/profile This path has valid permission? drwxrwxrwt 21 root root 4096 Jul 7 09:48 profile And actually pdbedit -v a-user shows valid profile path? pdbedit -v klaudia Full Name:klaudia Home Directory: \\pdc\klaudia HomeDir Drive:H: Logon Script: klaudia.bat Profile Path: \\pdc\profile\klaudia Domain: WORKGROUP cheers juergen -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba, LDAP, Windows XP - force passwordchange on first login
Hello Götz, This settings should work ok: sambaPwdCanChange=1 sambaPwdLastSet=0 sambaPwdMustChange=0 Your sambaMaxPwdAge must point to some usefull, sambaMaxPwdAge: 5184000. To administrate this try http://ldapadmin.sourceforge.net/ Greetings Daniel --- EDV Daniel Müller Leitung EDV Tropenklinik Paul-Lechler-Krankenhaus Paul-Lechler-Str. 24 72076 Tübingen Tel.: 07071/206-463, Fax: 07071/206-499 eMail: muel...@tropenklinik.de Internet: www.tropenklinik.de --- -Ursprüngliche Nachricht- Von: samba-boun...@lists.samba.org [mailto:samba-boun...@lists.samba.org] Im Auftrag von Götz Reinicke - IT-Koordinator Gesendet: Dienstag, 1. Februar 2011 15:53 An: samba@lists.samba.org Betreff: [Samba] Samba, LDAP, Windows XP - force passwordchange on first login Hello, I was looking for the right ldap attribute and setting to force users to change there password when they log in for the first time. Can somewone point me to the syntax or doc I did not found yet? samba 3.5.4 and openldap-2.4.19 Thanks and regards, -- Götz Reinicke IT-Koordinator Tel. +49 7141 969 420 Fax +49 7141 969 55 420 E-Mail goetz.reini...@filmakademie.de Filmakademie Baden-Württemberg GmbH Akademiehof 10 71638 Ludwigsburg www.filmakademie.de Eintragung Amtsgericht Stuttgart HRB 205016 Vorsitzende des Aufsichtsrats: Prof. Dr. Claudia Hübner Geschäftsführer: Prof. Thomas Schadt -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Samba, LDAP, Windows XP - force passwordchange on first login
Hello, I was looking for the right ldap attribute and setting to force users to change there password when they log in for the first time. Can somewone point me to the syntax or doc I did not found yet? samba 3.5.4 and openldap-2.4.19 Thanks and regards, -- Götz Reinicke IT-Koordinator Tel. +49 7141 969 420 Fax +49 7141 969 55 420 E-Mail goetz.reini...@filmakademie.de Filmakademie Baden-Württemberg GmbH Akademiehof 10 71638 Ludwigsburg www.filmakademie.de Eintragung Amtsgericht Stuttgart HRB 205016 Vorsitzende des Aufsichtsrats: Prof. Dr. Claudia Hübner Geschäftsführer: Prof. Thomas Schadt -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Samba+LDAP+Password
Hi, We have a Debian Lenny running Samba 3.5.5 with OpenLDAP and Winbind. The users can change their password via windows clientes but after the password expires thei can't set a new password. To unlock the user account I have to set a new password via smblda-passwd script. I have the following parameters set on my smb.conf obey pam restrictions = yes pam password chanve = yes Thanks -- Rodolfo Barbosa Lunar Consultoria +55(35)3821-8066 +55(35)9132-0764 -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba+LDAP+Password
You do not need: obey pam restrictions = yes pam password chanve = yes If you have only samba/openldap as DC you do not need winbind with smbldap-tools. Good Luck Daniel --- EDV Daniel Müller Leitung EDV Tropenklinik Paul-Lechler-Krankenhaus Paul-Lechler-Str. 24 72076 Tübingen Tel.: 07071/206-463, Fax: 07071/206-499 eMail: muel...@tropenklinik.de Internet: www.tropenklinik.de --- -Ursprüngliche Nachricht- Von: samba-boun...@lists.samba.org [mailto:samba-boun...@lists.samba.org] Im Auftrag von Rodolfo Barbosa Gesendet: Montag, 31. Januar 2011 12:27 An: samba@lists.samba.org Betreff: [Samba] Samba+LDAP+Password Hi, We have a Debian Lenny running Samba 3.5.5 with OpenLDAP and Winbind. The users can change their password via windows clientes but after the password expires thei can't set a new password. To unlock the user account I have to set a new password via smblda-passwd script. I have the following parameters set on my smb.conf obey pam restrictions = yes pam password chanve = yes Thanks -- Rodolfo Barbosa Lunar Consultoria +55(35)3821-8066 +55(35)9132-0764 -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] samba+ldap setup, users info in two OU
Dear friends My domain users in two diffrent OU, one OU is TEMP_USERS and other OU is PEOPLE. What i should mention in smb.conf ? If i mention ldap user suffix = ou=PEOPLE, then users of ou TEMP_USERS is not able to authenticate. Please guide me. Thanks -- http://linuxinterviews.blogspot.com -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Samba LDAP ignores group information
Hi. Excuse my English. I've installed Samba+OpenLDAP as a PDC. Everything works fine but Samba ignores completely group information. Linux is ok. Any clue? I'm going crazy here! Here's the sittuation: user: fish1 home dir: /home/reaml/swim/fish1 primary group: swimmers other groups: smokers Directory of smoker's group: /home/realm/smokers Here's an 'ls -l' on smoker's parent dir: drwxrws--- 19 cigarr smokers2208 Jul 27 2010 smokers Here's the share: [smokers] comment = Smoking path = /home/realm/smokers valid users = @smokers @swimmers @support public = no writable = yes browseable = yes create mask = 0777 force create mode = 0777 force directory mode = 0777 directory mode = 0777 Here's 'id' information: # id fish1 uid=1193(fish1) gid=1012(swimmers) groups=1013(smokers) So, when user fish1 try to enter in 'smokers' share: permission denied. If I give all permissions to 'others', fish1 can user the share normally. This only happen when I try to access using Windows. Linux is ok. Any idea? Seems to be an error between Samba and OpenLDAP... Here's smbldap-usershow: #smbldap-usershow fish1 dn: uid=fish1,ou=swimmers,ou=people,dc=example,dc=com objectClass: top,person,organizationalPerson,inetOrgPerson,posixAccount,shadowAccount,sambaSamAccount cn: fish1 sn: fish1 givenName: fish1 uid: fish1 uidNumber: 1193 gidNumber: 1012 homeDirectory: /home/realm/swim/fish1 loginShell: /bin/bash gecos: System User sambaLogonTime: 0 sambaLogoffTime: 2147483647 sambaKickoffTime: 2147483647 sambaPwdCanChange: 0 displayName: angela sambaSID: S-1-5-21-158730468-2379596502-3695168017-0001 sambaPrimaryGroupSID: S-1-5-21-158730468-2379596502-3695168017-0002 sambaLogonScript: swimmers.bat sambaProfilePath: \\REALMSERV\profiles\fish1 sambaHomePath: \\REALMSERV\fish1 sambaHomeDrive: U: sambaLMPassword: C665AEE66EF2A261AAD3B435B5143E3E sambaAcctFlags: [U] sambaNTPassword: 84AC02807D3D1C7000A79BD0E97BAEFEF sambaPwdLastSet: 1280219188 sambaPwdMustChange: 2144132788 userPassword: {CRYPT}c28JIqzpe43e shadowLastChange: 14817 shadowMax: Here's /etc/ldap.conf base dc=example,dc=com uri ldapi:///127.0.0.1 uri ldap://127.0.0.1 ldap_version 3 binddn cn=admin,dc=example,dc=com bindpw mysecret rootbinddn cn=admin,dc=example,dc=com scope sub bind_policy soft pam_filter objectclass=posixAccount pam_login_attribute uid pam_check_host_attr yes pam_member_attribute memberUid pam_password md5 nss_base_passwd ou=people,dc=example,dc=com?sub nss_base_passwd ou=computers,dc=example,dc=com?sub nss_base_group ou=groups,dc=example,dc=com?sub And the smbldap.conf: SID=S-1-5-21-158730468-2379596502-3695168017 sambaDomain=REALM slaveLDAP=127.0.0.1 slavePort=389 masterLDAP=127.0.0.1 masterPort=389 ldapTLS=0 verify=require cafile= clientcert= clientkey= suffix=dc=example,dc=com usersdn=ou=people,${suffix} computersdn=ou=computers,${suffix} groupsdn=ou=groups,${suffix} sambaUnixIdPooldn=sambaDomainName=${sambaDomain},${suffix} scope=sub hash_encrypt=CRYPT userLoginShell=/bin/bash userHome=/home/%U userGecos=System User defaultUserGid=543 defaultComputerGid=543 skeletonDir=/etc/skel defaultMaxPasswordAge= userSmbHome=\\REALMSERV\%U userProfile=\\REALMSERV\profiles\%U userHomeDirectoryMode=700 userHomeDrive=U: userScript=%g.bat mailDomain=example.com with_smbpasswd=0 smbpasswd=/usr/bin/smbpasswd with_slappasswd=0 slappasswd=/usr/sbin/slappasswd And finaly, smb.conf: workgroup = REALM netbios name = REALMSERV server string = My Realm %v security = user encrypt passwords = yes load printers = yes log file = /var/log/samba/log.%m max log size = 50 os level = 33 local master = yes domain master = yes preferred master = yes domain logons = yes #admin users = god logon script = %g.bat logon path = \\%L\profiles\%U #logon path = \\%N\profiles\%U wins support = no dns proxy = no ldap passwd sync = yes ldap delete dn = yes passdb backend = ldapsam:ldap://127.0.0.1 ldap admin dn = cn=admin,dc=example,dc=com ldap suffix = dc=example,dc=com ldap group suffix = ou=groups ldap user suffix = ou=people ldap machine suffix = ou=computers create mask = 600 directory mask = 0700 passwd chat = *New*password* %n\n *Retype*new*password* %n\n *passwd:*all*authentication*tokens*updated*successfully* socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 I'm lost... []s Alexander Brazil -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba LDAP ignores group information
alexan...@nautae.eti.br wrote: Hi. Excuse my English. I've installed Samba+OpenLDAP as a PDC. Everything works fine but Samba ignores completely group information. Linux is ok. Any clue? I'm going crazy here! Here's the sittuation: user: fish1 home dir: /home/reaml/swim/fish1 primary group: swimmers other groups: smokers Directory of smoker's group: /home/realm/smokers Here's an 'ls -l' on smoker's parent dir: drwxrws--- 19 cigarr smokers2208 Jul 27 2010 smokers Here's the share: [smokers] comment = Smoking path = /home/realm/smokers valid users = @smokers @swimmers @support public = no writable = yes browseable = yes create mask = 0777 force create mode = 0777 force directory mode = 0777 directory mode = 0777 Here's 'id' information: # id fish1 uid=1193(fish1) gid=1012(swimmers) groups=1013(smokers) So, when user fish1 try to enter in 'smokers' share: permission denied. If I give all permissions to 'others', fish1 can user the share normally. This only happen when I try to access using Windows. Linux is ok. Any idea? Seems to be an error between Samba and OpenLDAP... Here's smbldap-usershow: #smbldap-usershow fish1 dn: uid=fish1,ou=swimmers,ou=people,dc=example,dc=com objectClass: top,person,organizationalPerson,inetOrgPerson,posixAccount,shadowAccount,sambaSamAccount cn: fish1 sn: fish1 givenName: fish1 uid: fish1 uidNumber: 1193 gidNumber: 1012 homeDirectory: /home/realm/swim/fish1 loginShell: /bin/bash gecos: System User sambaLogonTime: 0 sambaLogoffTime: 2147483647 sambaKickoffTime: 2147483647 sambaPwdCanChange: 0 displayName: angela sambaSID: S-1-5-21-158730468-2379596502-3695168017-0001 sambaPrimaryGroupSID: S-1-5-21-158730468-2379596502-3695168017-0002 sambaLogonScript: swimmers.bat sambaProfilePath: \\REALMSERV\profiles\fish1 sambaHomePath: \\REALMSERV\fish1 sambaHomeDrive: U: sambaLMPassword: C665AEE66EF2A261AAD3B435B5143E3E sambaAcctFlags: [U] sambaNTPassword: 84AC02807D3D1C7000A79BD0E97BAEFEF sambaPwdLastSet: 1280219188 sambaPwdMustChange: 2144132788 userPassword: {CRYPT}c28JIqzpe43e shadowLastChange: 14817 shadowMax: Here's /etc/ldap.conf base dc=example,dc=com uri ldapi:///127.0.0.1 uri ldap://127.0.0.1 ldap_version 3 binddn cn=admin,dc=example,dc=com bindpw mysecret rootbinddn cn=admin,dc=example,dc=com scope sub bind_policy soft pam_filter objectclass=posixAccount pam_login_attribute uid pam_check_host_attr yes pam_member_attribute memberUid pam_password md5 nss_base_passwd ou=people,dc=example,dc=com?sub nss_base_passwd ou=computers,dc=example,dc=com?sub nss_base_group ou=groups,dc=example,dc=com?sub And the smbldap.conf: SID=S-1-5-21-158730468-2379596502-3695168017 sambaDomain=REALM slaveLDAP=127.0.0.1 slavePort=389 masterLDAP=127.0.0.1 masterPort=389 ldapTLS=0 verify=require cafile= clientcert= clientkey= suffix=dc=example,dc=com usersdn=ou=people,${suffix} computersdn=ou=computers,${suffix} groupsdn=ou=groups,${suffix} sambaUnixIdPooldn=sambaDomainName=${sambaDomain},${suffix} scope=sub hash_encrypt=CRYPT userLoginShell=/bin/bash userHome=/home/%U userGecos=System User defaultUserGid=543 defaultComputerGid=543 skeletonDir=/etc/skel defaultMaxPasswordAge= userSmbHome=\\REALMSERV\%U userProfile=\\REALMSERV\profiles\%U userHomeDirectoryMode=700 userHomeDrive=U: userScript=%g.bat mailDomain=example.com with_smbpasswd=0 smbpasswd=/usr/bin/smbpasswd with_slappasswd=0 slappasswd=/usr/sbin/slappasswd And finaly, smb.conf: workgroup = REALM netbios name = REALMSERV server string = My Realm %v security = user encrypt passwords = yes load printers = yes log file = /var/log/samba/log.%m max log size = 50 os level = 33 local master = yes domain master = yes preferred master = yes domain logons = yes #admin users = god logon script = %g.bat logon path = \\%L\profiles\%U #logon path = \\%N\profiles\%U wins support = no dns proxy = no ldap passwd sync = yes ldap delete dn = yes passdb backend = ldapsam:ldap://127.0.0.1 ldap admin dn = cn=admin,dc=example,dc=com ldap suffix = dc=example,dc=com ldap group suffix = ou=groups ldap user suffix = ou=people ldap machine suffix = ou=computers create mask = 600 directory mask = 0700 passwd chat = *New*password* %n\n *Retype*new*password* %n\n *passwd:*all*authentication*tokens*updated*successfully* socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 I'm lost... []s Alexander Brazil It sounds as though the groups arn't mapped for windows within samba.. try # net groupmap list does this give you any groups? are the groups your working with included? How did you creat the groups ? smbldap-groupadd I hope? -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba LDAP ignores group information
W dniu 2010-07-27 20:05, alexan...@nautae.eti.br pisze: Hi. Excuse my English. I've installed Samba+OpenLDAP as a PDC. Everything works fine but Samba ignores completely group information. Linux is ok. Any clue? I'm going crazy here! Here's the sittuation: user: fish1 home dir: /home/reaml/swim/fish1 primary group: swimmers other groups: smokers Directory of smoker's group: /home/realm/smokers Here's an 'ls -l' on smoker's parent dir: drwxrws--- 19 cigarr smokers2208 Jul 27 2010 smokers Here's the share: [smokers] comment = Smoking path = /home/realm/smokers valid users = @smokers @swimmers @support public = no writable = yes browseable = yes create mask = 0777 force create mode = 0777 force directory mode = 0777 directory mode = 0777 Here's 'id' information: # id fish1 uid=1193(fish1) gid=1012(swimmers) groups=1013(smokers) So, when user fish1 try to enter in 'smokers' share: permission denied. If I give all permissions to 'others', fish1 can user the share normally. This only happen when I try to access using Windows. Linux is ok. Any idea? Seems to be an error between Samba and OpenLDAP... Here's smbldap-usershow: #smbldap-usershow fish1 dn: uid=fish1,ou=swimmers,ou=people,dc=example,dc=com objectClass: top,person,organizationalPerson,inetOrgPerson,posixAccount,shadowAccount,sambaSamAccount cn: fish1 sn: fish1 givenName: fish1 uid: fish1 uidNumber: 1193 gidNumber: 1012 homeDirectory: /home/realm/swim/fish1 loginShell: /bin/bash gecos: System User sambaLogonTime: 0 sambaLogoffTime: 2147483647 sambaKickoffTime: 2147483647 sambaPwdCanChange: 0 displayName: angela sambaSID: S-1-5-21-158730468-2379596502-3695168017-0001 sambaPrimaryGroupSID: S-1-5-21-158730468-2379596502-3695168017-0002 sambaLogonScript: swimmers.bat sambaProfilePath: \\REALMSERV\profiles\fish1 sambaHomePath: \\REALMSERV\fish1 sambaHomeDrive: U: sambaLMPassword: C665AEE66EF2A261AAD3B435B5143E3E sambaAcctFlags: [U] sambaNTPassword: 84AC02807D3D1C7000A79BD0E97BAEFEF sambaPwdLastSet: 1280219188 sambaPwdMustChange: 2144132788 userPassword: {CRYPT}c28JIqzpe43e shadowLastChange: 14817 shadowMax: Here's /etc/ldap.conf base dc=example,dc=com uri ldapi:///127.0.0.1 uri ldap://127.0.0.1 ldap_version 3 binddn cn=admin,dc=example,dc=com bindpw mysecret rootbinddn cn=admin,dc=example,dc=com scope sub bind_policy soft pam_filter objectclass=posixAccount pam_login_attribute uid pam_check_host_attr yes pam_member_attribute memberUid pam_password md5 nss_base_passwd ou=people,dc=example,dc=com?sub nss_base_passwd ou=computers,dc=example,dc=com?sub nss_base_group ou=groups,dc=example,dc=com?sub And the smbldap.conf: SID=S-1-5-21-158730468-2379596502-3695168017 sambaDomain=REALM slaveLDAP=127.0.0.1 slavePort=389 masterLDAP=127.0.0.1 masterPort=389 ldapTLS=0 verify=require cafile= clientcert= clientkey= suffix=dc=example,dc=com usersdn=ou=people,${suffix} computersdn=ou=computers,${suffix} groupsdn=ou=groups,${suffix} sambaUnixIdPooldn=sambaDomainName=${sambaDomain},${suffix} scope=sub hash_encrypt=CRYPT userLoginShell=/bin/bash userHome=/home/%U userGecos=System User defaultUserGid=543 defaultComputerGid=543 skeletonDir=/etc/skel defaultMaxPasswordAge= userSmbHome=\\REALMSERV\%U userProfile=\\REALMSERV\profiles\%U userHomeDirectoryMode=700 userHomeDrive=U: userScript=%g.bat mailDomain=example.com with_smbpasswd=0 smbpasswd=/usr/bin/smbpasswd with_slappasswd=0 slappasswd=/usr/sbin/slappasswd And finaly, smb.conf: workgroup = REALM netbios name = REALMSERV server string = My Realm %v security = user encrypt passwords = yes load printers = yes log file = /var/log/samba/log.%m max log size = 50 os level = 33 local master = yes domain master = yes preferred master = yes domain logons = yes #admin users = god logon script = %g.bat logon path = \\%L\profiles\%U #logon path = \\%N\profiles\%U wins support = no dns proxy = no ldap passwd sync = yes ldap delete dn = yes passdb backend = ldapsam:ldap://127.0.0.1 ldap admin dn = cn=admin,dc=example,dc=com ldap suffix = dc=example,dc=com ldap group suffix = ou=groups ldap user suffix = ou=people ldap machine suffix = ou=computers create mask = 600 directory mask = 0700 passwd chat = *New*password* %n\n *Retype*new*password* %n\n *passwd:*all*authentication*tokens*updated*successfully* socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 I'm lost... []s Alexander Brazil What version of Samba? What does this command return: net rpc user info fish1 Daniel -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba LDAP ignores group information
On 07/27/2010 03:38 PM, Daniel Deptuła wrote: W dniu 2010-07-27 20:05, alexan...@nautae.eti.br pisze: Hi. Excuse my English. I've installed Samba+OpenLDAP as a PDC. Everything works fine but Samba ignores completely group information. Linux is ok. Any clue? I'm going crazy here! Here's the sittuation: user: fish1 home dir: /home/reaml/swim/fish1 primary group: swimmers other groups: smokers Directory of smoker's group: /home/realm/smokers Here's an 'ls -l' on smoker's parent dir: drwxrws--- 19 cigarr smokers 2208 Jul 27 2010 smokers Here's the share: [smokers] comment = Smoking path = /home/realm/smokers valid users = @smokers @swimmers @support public = no writable = yes browseable = yes create mask = 0777 force create mode = 0777 force directory mode = 0777 directory mode = 0777 Here's 'id' information: # id fish1 uid=1193(fish1) gid=1012(swimmers) groups=1013(smokers) So, when user fish1 try to enter in 'smokers' share: permission denied. If I give all permissions to 'others', fish1 can user the share normally. This only happen when I try to access using Windows. Linux is ok. Any idea? Seems to be an error between Samba and OpenLDAP... Here's smbldap-usershow: #smbldap-usershow fish1 dn: uid=fish1,ou=swimmers,ou=people,dc=example,dc=com objectClass: top,person,organizationalPerson,inetOrgPerson,posixAccount,shadowAccount,sambaSamAccount cn: fish1 sn: fish1 givenName: fish1 uid: fish1 uidNumber: 1193 gidNumber: 1012 homeDirectory: /home/realm/swim/fish1 loginShell: /bin/bash gecos: System User sambaLogonTime: 0 sambaLogoffTime: 2147483647 sambaKickoffTime: 2147483647 sambaPwdCanChange: 0 displayName: angela sambaSID: S-1-5-21-158730468-2379596502-3695168017-0001 sambaPrimaryGroupSID: S-1-5-21-158730468-2379596502-3695168017-0002 sambaLogonScript: swimmers.bat sambaProfilePath: \\REALMSERV\profiles\fish1 sambaHomePath: \\REALMSERV\fish1 sambaHomeDrive: U: sambaLMPassword: C665AEE66EF2A261AAD3B435B5143E3E sambaAcctFlags: [U] sambaNTPassword: 84AC02807D3D1C7000A79BD0E97BAEFEF sambaPwdLastSet: 1280219188 sambaPwdMustChange: 2144132788 userPassword: {CRYPT}c28JIqzpe43e shadowLastChange: 14817 shadowMax: Here's /etc/ldap.conf base dc=example,dc=com uri ldapi:///127.0.0.1 uri ldap://127.0.0.1 ldap_version 3 binddn cn=admin,dc=example,dc=com bindpw mysecret rootbinddn cn=admin,dc=example,dc=com scope sub bind_policy soft pam_filter objectclass=posixAccount pam_login_attribute uid pam_check_host_attr yes pam_member_attribute memberUid pam_password md5 nss_base_passwd ou=people,dc=example,dc=com?sub nss_base_passwd ou=computers,dc=example,dc=com?sub nss_base_group ou=groups,dc=example,dc=com?sub And the smbldap.conf: SID=S-1-5-21-158730468-2379596502-3695168017 sambaDomain=REALM slaveLDAP=127.0.0.1 slavePort=389 masterLDAP=127.0.0.1 masterPort=389 ldapTLS=0 verify=require cafile= clientcert= clientkey= suffix=dc=example,dc=com usersdn=ou=people,${suffix} computersdn=ou=computers,${suffix} groupsdn=ou=groups,${suffix} sambaUnixIdPooldn=sambaDomainName=${sambaDomain},${suffix} scope=sub hash_encrypt=CRYPT userLoginShell=/bin/bash userHome=/home/%U userGecos=System User defaultUserGid=543 defaultComputerGid=543 skeletonDir=/etc/skel defaultMaxPasswordAge= userSmbHome=\\REALMSERV\%U userProfile=\\REALMSERV\profiles\%U userHomeDirectoryMode=700 userHomeDrive=U: userScript=%g.bat mailDomain=example.com with_smbpasswd=0 smbpasswd=/usr/bin/smbpasswd with_slappasswd=0 slappasswd=/usr/sbin/slappasswd And finaly, smb.conf: workgroup = REALM netbios name = REALMSERV server string = My Realm %v security = user encrypt passwords = yes load printers = yes log file = /var/log/samba/log.%m max log size = 50 os level = 33 local master = yes domain master = yes preferred master = yes domain logons = yes #admin users = god logon script = %g.bat logon path = \\%L\profiles\%U #logon path = \\%N\profiles\%U wins support = no dns proxy = no ldap passwd sync = yes ldap delete dn = yes passdb backend = ldapsam:ldap://127.0.0.1 ldap admin dn = cn=admin,dc=example,dc=com ldap suffix = dc=example,dc=com ldap group suffix = ou=groups ldap user suffix = ou=people ldap machine suffix = ou=computers create mask = 600 directory mask = 0700 passwd chat = *New*password* %n\n *Retype*new*password* %n\n *passwd:*all*authentication*tokens*updated*successfully* socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 I'm lost... []s Alexander Brazil What version of Samba? What does this command return: net rpc user info fish1 Daniel Also check the ouput from net groupmap list For each well known group (e.g Domain Users) you should have a SID defined (with a standard RID.) For example, Domain Users has RID of 513. Groups you define (e.g Swimmers) does not have to have a SID defined- unix will still enforce the permissions- but can make life easier you do defined a SID. The SID will have the domain component + uniqe RID (relative ID.) e.g # net groupmap list Domain Users
[Samba] Samba / LDAP passwords
Hello, Ubuntu 9.10 Server / Samba 3.4 with an ldap backend I'm looking for some explanation on how a few options work together to make passwords work properly. I have some accounts that have the sambaAcctFlag [UX] and that should set it so their passwords don't expire correct? This doesn't seem to be the case as they need changed sometimes... (continue on) My next question is this.. Does this possibly have to do with the global account policy that sets the passwords to expire after 360 days in my case? ( I will be lowering this) I understand that this corresponds with the password last set and calculates each time the user logs in and sets it to sambaPwdMustChange? When a user password is set it changes the sambaPwdMustChage to 360 days in the future and when I change the account flags to never expire the sambapwdmustchange does not change.. The main question is this How can I specify some users passwords to never expire and leave account policy decide the rest? And I guess why is this not working for me... -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Samba-LDAP Password Expiration Reminder Script
I am currently running Samba (3.0.33) on CentOS 5 with an OpenLDAP back-end. I would like to be able to have a script run that would look at the sambaPwdLastSet attribute, compare it to the current time and then if needed...email the user a reminder to change their password. I have never written any scripts that reference the LDAP directory, so I'm hoping there is something out there that I can modify or reference for my own script. Any help would be greatly appreciated, thanks! --Bill -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Samba, ldap and machine accounts
Hi, some time a go I started to try a migration form our old samba PDC with smbpasswd user backend to a new ldap based. I got to the point, that users can login to shares and now I'd liked to set up the server as an PDC with ldap and machine accounts too. The smbldap-toosl are installed and configured and I can add a machine to ldap to a certain point. The ldap entry is created, but when I restart the XP client there is a pop-up at the login window with the message, that the domain is not available. (The domain I joined a few minutes ago.) I restarted the samba server, I restarted the xp client, waited some time over night for the browser announcement to finish. Deleted the cached files on the sambe server in /var/cache/samba/ ... May be I missed something or deleted something I shouln't ... The server is centos 5.5, openldap-2.3.43, samba-3.0.33. The Client is windows xp SP3 with all latest patches and no modifications to the registry or anything else. In the logfiles is not clue to me. Any suggestion or help is appreciate! Thanks a lot and best regards, Götz -- Götz Reinicke IT-Koordinator Tel. +49 7141 969 420 Fax +49 7141 969 55 420 E-Mail goetz.reini...@filmakademie.de Filmakademie Baden-Württemberg GmbH Akademiehof 10 71638 Ludwigsburg www.filmakademie.de Eintragung Amtsgericht Stuttgart HRB 205016 Vorsitzende des Aufsichtsrats: Prof. Dr. Claudia Hübner Geschäftsführer: Prof. Thomas Schadt -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba/LDAP and home dir creation
Subject: [Samba] Samba/LDAP and home dir creation Hi, all. I'm working on a project to create a Samba PDC with LDAP authentication. I've been pretty successful in getting everything to work. However, I've run into a small snag: The PDC is built on an OpenSuse 11.2 box. Most of the member servers are also OpenSuse 11.2 boxes. However, a CentOS 5.5 server was just added to the mix. While users can lo into the CentOS box, with LDAP providing the creds, no home directory is automagically created as in the OpenSuse boxes. I'd like to fix that, with your help. I've used authconfig-tui on the CentOS box to enable Use LDAP and Use LDAP Authentication (the equivalent of YAST's LDAP Client config tool?). I believe my smb.conf and ldap.conf files are correct (I'll provide them if you all need to see them). Any ideas? Thanks. Dimitri -- To avoid messing with PAM, you can also do something like root preexec=/data/Backup/createhomes.sh %D %S in your smb.conf and the file createhomes.sh looks something like #!/bin/bash if [ ! -d /data/homes/$1/$2 ]; then mkdir /data/homes/$1/$2 chmod g+s /data/homes/$1/$2 chown $2:domain admins /data/homes/$1/$2 chmod 770 /data/homes/$1/$2 /usr/bin/setfacl -m g:domain admins:rwx /data/homes/$1/$2 /usr/bin/setfacl -m u:$2:rwx /data/homes/$1/$2 /usr/bin/setfacl -m g:domain users:000 /data/homes/$1/$2 fi exit 0 -=Andrew -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Samba/LDAP and home dir creation
Hi, all. I'm working on a project to create a Samba PDC with LDAP authentication. I've been pretty successful in getting everything to work. However, I've run into a small snag: The PDC is built on an OpenSuse 11.2 box. Most of the member servers are also OpenSuse 11.2 boxes. However, a CentOS 5.5 server was just added to the mix. While users can lo into the CentOS box, with LDAP providing the creds, no home directory is automagically created as in the OpenSuse boxes. I'd like to fix that, with your help. I've used authconfig-tui on the CentOS box to enable Use LDAP and Use LDAP Authentication (the equivalent of YAST's LDAP Client config tool?). I believe my smb.conf and ldap.conf files are correct (I'll provide them if you all need to see them). Any ideas? Thanks. Dimitri -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba/LDAP and home dir creation
Hi Dimitri, You probably want to enable the PAM module responsible for this. Back up and edit your /etc/pam.d/system-auth and add the following line: session required pam_oddjob_mkhomedir.so skel=/etc/skel/ umask=0022 Note: Messing with your pam config may lock you out of the system, so be careful. 2010/6/9 Dimitri Yioulos dyiou...@firstbhph.com: Hi, all. I'm working on a project to create a Samba PDC with LDAP authentication. I've been pretty successful in getting everything to work. However, I've run into a small snag: The PDC is built on an OpenSuse 11.2 box. Most of the member servers are also OpenSuse 11.2 boxes. However, a CentOS 5.5 server was just added to the mix. While users can lo into the CentOS box, with LDAP providing the creds, no home directory is automagically created as in the OpenSuse boxes. I'd like to fix that, with your help. I've used authconfig-tui on the CentOS box to enable Use LDAP and Use LDAP Authentication (the equivalent of YAST's LDAP Client config tool?). I believe my smb.conf and ldap.conf files are correct (I'll provide them if you all need to see them). Any ideas? Thanks. Dimitri -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- Diego Lima -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba/LDAP and home dir creation
On Wednesday 09 June 2010 4:47:31 pm you wrote: Hi Dimitri, You probably want to enable the PAM module responsible for this. Back up and edit your /etc/pam.d/system-auth and add the following line: session required pam_oddjob_mkhomedir.so skel=/etc/skel/ umask=0022 Note: Messing with your pam config may lock you out of the system, so be careful. 2010/6/9 Dimitri Yioulos dyiou...@firstbhph.com: Hi, all. I'm working on a project to create a Samba PDC with LDAP authentication. I've been pretty successful in getting everything to work. However, I've run into a small snag: The PDC is built on an OpenSuse 11.2 box. Most of the member servers are also OpenSuse 11.2 boxes. However, a CentOS 5.5 server was just added to the mix. While users can lo into the CentOS box, with LDAP providing the creds, no home directory is automagically created as in the OpenSuse boxes. I'd like to fix that, with your help. I've used authconfig-tui on the CentOS box to enable Use LDAP and Use LDAP Authentication (the equivalent of YAST's LDAP Client config tool?). I believe my smb.conf and ldap.conf files are correct (I'll provide them if you all need to see them). Any ideas? Thanks. Dimitri -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samb a -- Diego Lima Diego, That worked perfectly! I used pam_mkhomedir.so, though, as this is a 32-bit system. Thank you. Dimitri -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Samba/LDAP Win 7 unable to access shares
Windows 7 can connect to the domain as a member (using wiki.samba Win 7 details) but cannot see any shared resources or connect to the machine at all. Logs show tings start ok but fall apart pretty quickly. Anyone else having issues with Win7 and Samba? On this network, XP, Vista and Mac all swell :) Any pointers? Samba (3.4.8) server on Debian Stable (Samba off lenny-backports in an attempt to get Win 7 sorted a while back) auth'ing off a local LDAP server running LDAP-Account-Manager [2010/05/25 11:20:25, 2] smbd/sesssetup.c:1360(setup_new_vc_session) setup_new_vc_session: New VC == 0, if NT4.x compatible we would close all old resources. [2010/05/25 11:20:25, 2] smbd/sesssetup.c:1360(setup_new_vc_session) setup_new_vc_session: New VC == 0, if NT4.x compatible we would close all old resources. [2010/05/25 11:20:25, 2] lib/smbldap.c:890(smbldap_open_connection) smbldap_open_connection: connection opened [2010/05/25 11:20:25, 2] passdb/pdb_ldap.c:571(init_sam_from_ldap) init_sam_from_ldap: Entry found for user: user [2010/05/25 11:20:25, 2] passdb/pdb_ldap.c:571(init_sam_from_ldap) init_sam_from_ldap: Entry found for user: user [2010/05/25 11:20:25, 2] auth/auth.c:310(check_ntlm_password) check_ntlm_password: authentication for user [user] - [user] - [user] succeeded [2010/05/25 11:20:25, 0] smbd/sec_ctx.c:196(push_sec_ctx) Security context stack overflow! [2010/05/25 11:20:25, 0] lib/util.c:1480(smb_panic) PANIC (pid 3099): Security context stack overflow! [2010/05/25 11:20:25, 0] lib/util.c:1584(log_stack_trace) BACKTRACE: 55 stack frames: #0 /usr/sbin/smbd(log_stack_trace+0x2d) [0xb7b1255d] #1 /usr/sbin/smbd(smb_panic+0x2d) [0xb7b1265d] #2 /usr/sbin/smbd(push_sec_ctx+0x1b9) [0xb78e2559] #3 /usr/sbin/smbd(become_root+0x17) [0xb78d0d97] #4 /usr/sbin/smbd(pdb_get_account_policy+0x23) [0xb7aadb33] #5 /usr/sbin/smbd(init_buffer_from_samu+0x27c) [0xb7aa70fc] #6 /usr/sbin/smbd(pdb_copy_sam_account+0x3e) [0xb7aaa31e] .. ... -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba/LDAP share issue -- user with invalid SID
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 You are missing something, which I just realized reading this: a couple of emails that went back and forth off-list. Oops. I think the following is essentially accurate: someone will surely correct me if it's not. At the moment, this is the only samba server there is, and it's acting as a PDC. At some point, I'll (probably) be building an actual PDC, at which point domain master will be set to no. That will change the role from PDC to BDC, which is (as far as I can tell) what I want. The problem right now is that, if I set this to act as a BDC, I can't actually join the domain, because there isn't a controller. Because of that, this system (SL1) has to act as a PDC. When I said it's not acting as a PDC, I should have said ...but not being used as a domain login controller, rather than ...not acting as What I really probably OUGHT to do is set up mv (our LDAP server) to act as a PDC now, and simply let this act as a client. Unfortunately, I don't have time to do it now -- I'll probably get to that sometime over the summer, when things are a little less crazy. - -Alex zoolook wrote: 2010/5/18 Alex McKenzie a...@chem.umass.edu: r...@sl1:/etc/samba# testparm Server role: ROLE_DOMAIN_PDC [global] workgroup = CHEMBMB domain logons = Yes preferred master = Yes domain master = Yes This is a standalone server providing file sharing, but not acting as a domain login controller: if I ever want that, I'll be building a different server for it. Hm!? Thanks to tms3 for the instructions: I'd been spinning my wheels for two weeks before his (her?) advice! Can you (or someone else) please explain this because either, I'm too dumb or too sleepy. From what I can see, your samba server IS a PDC. If you want SL1 to be a member of CHEMBMB, you need to: domain logons = No security = DOMAIN Then: # net rpc join ((or net ads join)) Am I missing something here? Thanks, Norberto -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.8 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAkvz3p8ACgkQWFYfIucpZ2NK2wCeOcNMnyoiOO1vcjZmTUZmi893 7EgAnA9yyP0S1jV0g3Da4ONzrVhpP5Xq =eYFN -END PGP SIGNATURE- -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba/LDAP share issue -- user with invalid SID
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 t...@tms3.com wrote: SNIP SID for domain SL1 is: S-1-5-21-1557386430-3227286864-500253393 SID for domain CHEMBMB is: S-1-5-21-4167008922-1292391803-4044586981 7) Users have both user and group SIDs in the form S-1-5-21-4167008922-1292391803-4044586981-[unique number], which is generated according to the rules the smbldap tools use. You have two different domains. And the users are in CHEMBMB and the server is a member of SL1. Why not join SL1 to CHEMBMB? How do I get the server to join CHEMBMB? I spent about two hours trying to get the two SIDs to be the same, with no success. I assumed that was part of the issue, but I finally gave up on making it work. I assume I'd use net setlocalsid, which shows the following: r...@sl1:~# net getdomainsid SID for domain SL1 is: S-1-5-21-1557386430-3227286864-500253393 SID for domain CHEMBMB is: S-1-5-21-4167008922-1292391803-4044586981 r...@sl1:~# net setlocalsid S-1-5-21-4167008922-1292391803-4044586981 r...@schnelllab1:~# net getdomainsid SID for domain SL1 is: S-1-5-21-1557386430-3227286864-500253393 SID for domain CHEMBMB is: S-1-5-21-4167008922-1292391803-4044586981 If there's something else I should be doing, I'd love to know what it is! - -Alex 8) testparm on sl1 returns the following: Load smb config files from /etc/samba/smb.conf Processing section [homes] Processing section [itadmins] Loaded services file OK. Server role: ROLE_STANDALONE Press enter to see a dump of your service definitions [global] workgroup = CHEMBMB server string = %h server (Samba, Ubuntu) map to guest = Bad User obey pam restrictions = Yes passdb backend = ldapsam:ldaps://multivac.chem.umass.edu pam password change = Yes passwd program = /usr/bin/passwd %u passwd chat = *Enter\snew\s*\spassword:* %n\n *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* . unix password sync = Yes syslog = 255 log file = /var/log/samba/log.%m max log size = 1000 dns proxy = No ldap admin dn = cn=admin,dc=cns ldap group suffix = ou=Chemistry groups ldap suffix = ou=Chemistry,dc=cns ldap ssl = no ldap user suffix = ou=Chemistry users usershare allow guests = Yes panic action = /usr/share/samba/panic-action %d invalid users = root [homes] comment = Home Directories read only = No browseable = No [itadmins] comment = Shared directory for the IT group path = /home/itadmins valid users = spalmer, amckenzie read only = No create mask = 0665 directory mask = 0775 Any advice would be appreciated -- I'm well beyond my understanding of samba at the moment, and my understanding of samba is well beyond what it was 48 hours ago. At the moment neither server is mission critical, so tests that take them temporarily off-line are possible. By early next week things will be authenticating against the LDAP server (we've got no choice -- the old LDAP server is failing fast), so I won't be able to take it down for testing. Thanks in advance, Alex McKenzie a...@chem.umass.edu -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.8 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEUEARECAAYFAkvxjXAACgkQWFYfIucpZ2OA2QCY5Ah0KkHwr2QGuCF/jCGf/dDr zwCfbXwvHr50j7vZZTuSJxLels7Izv8= =58HV -END PGP SIGNATURE- -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.8 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAkvyk6wACgkQWFYfIucpZ2NCiQCfWaicXsuhA6P01Pbw9xeanUql dqEAn2Z31M+dqjlIKG5uciscBsTB9Rl0 =LAsj -END PGP SIGNATURE- -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba/LDAP share issue -- user with invalid SID
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 I do have smbldap tools installed and, as far as I can tell, set up. net join CHEMBMB -U Administrator returns cannot join as standalone machine. The LDAP structure may be the issue... I don't think computer accounts were ever set up on the current server (the last server was done by the guy who used to do my job, who left basically no documentation), because I wasn't aware they were necessary for this. We're not planning to use Samba/LDAP for windows authentication (only Mac, which doesn't require any sort of machine account, and linux, which also doesn't require a machine account), and if we do decide to do windows auth with Samba, it won't be using SL1. SL1 is only a file server -- it's for a small research group, and there will eventually be a bunch of them, possibly as many as 30-40. The system that LDAP runs on will eventually become a PDC, if necessary, but for now samba isn't even installed. If that's the issue, I'll feel stupid, but grateful that someone pointed me in the right direction. Let me know what to try next... as I said initially, I'm quite out of my depth. I haven't been testing with a Windows machine, and I did something to completely break SL1 yesterday, so I can't test it right now. (I changed something in smb.conf, and now samba won't start -- I need to figure out what that is before I go any further.) - -Alex t...@tms3.com wrote: How do I get the server to join CHEMBMB? I may have been hasty, but I don't have a proper domain to check at the moment. However: Do you have smbldap-tools installed and set up on sl1? Did you ever issue net join CHEMBMB -U Administrator from sl1? Check your ldap structure. You should have a computer with an LDIF that looks like this: dn: uid=zaphod$, ou=computers, dc=mydomain,dc=com sambaPrimaryGroupSID: S-1-5-21-1498823292-3530380933-788562438-515 sambaDomainName: MYDOMAIN displayName: zaphod$ objectClass: posixAccount objectClass: account objectClass: sambaSamAccount sambaLogonTime: 0 uid: zaphod$ uidNumber: 41328 cn: zaphod$ sambaLogoffTime: 2147483647 sambaPwdLastSet: 1267756286 sambaAcctFlags: [S ] loginShell: /bin/false gidNumber: 553 sambaPwdMustChange: 2147483647 sambaNTPassword: 3509E1ED1B7398134D9D429474E47386 sambaPwdCanChange: 0 sambaSID: S-1-5-21-1498823292-3530380933-788562438-83656 gecos: Computer description: Computer homeDirectory: /dev/null sambaKickoffTime: 2147483647 ALSO, I assume you are using some kind of Windows work station for the users, so what error does Windows display when the users log in? Cheers, TMS III I spent about two hours trying to get the two SIDs to be the same, with no success. I assumed that was part of the issue, but I finally gave up on making it work. I assume I'd use net setlocalsid, which shows the following: r...@sl1:~# net getdomainsid SID for domain SL1 is: S-1-5-21-1557386430-3227286864-500253393 SID for domain CHEMBMB is: S-1-5-21-4167008922-1292391803-4044586981 r...@sl1:~# net setlocalsid S-1-5-21-4167008922-1292391803-4044586981 r...@schnelllab1:~# net getdomainsid SID for domain SL1 is: S-1-5-21-1557386430-3227286864-500253393 SID for domain CHEMBMB is: S-1-5-21-4167008922-1292391803-4044586981 If there's something else I should be doing, I'd love to know what it is! - -Alex 8) testparm on sl1 returns the following: Load smb config files from /etc/samba/smb.conf Processing section [homes] Processing section [itadmins] Loaded services file OK. Server role: ROLE_STANDALONE Press enter to see a dump of your service definitions [global] workgroup = CHEMBMB server string = %h server (Samba, Ubuntu) map to guest = Bad User obey pam restrictions = Yes passdb backend = ldapsam:ldaps://multivac.chem.umass.edu pam password change = Yes passwd program = /usr/bin/passwd %u passwd chat = *Enter\snew\s*\spassword:* %n\n *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* . unix password sync = Yes syslog = 255 log file = /var/log/samba/log.%m max log size = 1000 dns proxy = No ldap admin dn = cn=admin,dc=cns ldap group suffix = ou=Chemistry groups ldap suffix = ou=Chemistry,dc=cns ldap ssl = no ldap user suffix = ou=Chemistry users usershare allow guests = Yes panic action = /usr/share/samba/panic-action %d invalid users = root [homes] comment = Home Directories read only = No browseable = No [itadmins] comment = Shared directory for the IT group path = /home/itadmins valid users = spalmer, amckenzie read only = No create mask = 0665 directory mask = 0775 Any advice would be appreciated -- I'm well beyond my understanding of samba at the moment, and my understanding of samba is well beyond what it was 48 hours ago. At the moment neither server is mission critical, so tests that take them temporarily off-line are possible. By early next week things will be authenticating against the LDAP
Re: [Samba] Samba/LDAP share issue -- user with invalid SID
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 This fixed it! For the record, since I suspect this all gets archived and is searchable: here's the output of testparm. r...@sl1:/etc/samba# testparm Load smb config files from /etc/samba/smb.conf Processing section [homes] Processing section [itadmins] Loaded services file OK. Server role: ROLE_DOMAIN_PDC Press enter to see a dump of your service definitions [global] workgroup = CHEMBMB server string = %h server (Samba, Ubuntu) map to guest = Bad User obey pam restrictions = Yes passdb backend = ldapsam:ldaps://mv.chem.umass.edu pam password change = Yes passwd program = /usr/bin/passwd %u passwd chat = *Enter\snew\s*\spassword:* %n\n *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* . unix password sync = Yes syslog = 0 log file = /var/log/samba/log.%m max log size = 1000 domain logons = Yes preferred master = Yes domain master = Yes dns proxy = No ldap admin dn = cn=admin,dc=cns ldap group suffix = ou=Chemistry groups ldap suffix = ou=Chemistry,dc=cns ldap ssl = no ldap user suffix = ou=Chemistry users usershare allow guests = Yes panic action = /usr/share/samba/panic-action %d invalid users = root [homes] comment = Home Directories read only = No browseable = No valid users = %S [itadmins] comment = Shared directory for the IT group path = /home/itadmins valid users = amckenzie, jmaher, spalmer, bmbchem read only = No create mask = 0665 directory mask = 0775 browseable = No net getdomainsid returns: SID for domain SL1 is: S-1-5-21-1557386430-3227286864-500253393 SID for domain CHEMBMB is: S-1-5-21-4167008922-1292391803-4044586981 This is a standalone server providing file sharing, but not acting as a domain login controller: if I ever want that, I'll be building a different server for it. Thanks to tms3 for the instructions: I'd been spinning my wheels for two weeks before his (her?) advice! - -Alex McKenzie t...@tms3.com wrote: SNIP I do have smbldap tools installed and, as far as I can tell, set up. net join CHEMBMB -U Administrator returns cannot join as standalone machine. DUHHH! I'm sorry I'm a moron. OK, change that to preferred master = Yes domain logons =Yes domain master = Yes ---if this is the only DC in CHEMBMB. If you have another samba server os PDC in CHEMBMB then set that to no The LDAP structure may be the issue... I don't think computer accounts were ever set up on the current server (the last server was done by the guy who used to do my job, who left basically no documentation), because I wasn't aware they were necessary for this. We're not planning to use Samba/LDAP for windows authentication (only Mac, which doesn't require any sort of machine account, and linux, which also doesn't require a machine account), and if we do decide to do windows auth with Samba, it won't be using SL1. SL1 is only a file server -- it's for a small research group, and there will eventually be a bunch of them, possibly as many as 30-40. The system that LDAP runs on will eventually become a PDC, if necessary, but for now samba isn't even installed. If that's the issue, I'll feel stupid, but grateful that someone pointed me in the right direction. Let me know what to try next... as I said initially, I'm quite out of my depth. I haven't been testing with a Windows machine, and I did something to completely break SL1 yesterday, so I can't test it right now. (I changed something in smb.conf, and now samba won't start -- I need to figure out what that is before I go any further.) - -Alex t...@tms3.com wrote: How do I get the server to join CHEMBMB? I may have been hasty, but I don't have a proper domain to check at the moment. However: Do you have smbldap-tools installed and set up on sl1? Did you ever issue net join CHEMBMB -U Administrator from sl1? Check your ldap structure. You should have a computer with an LDIF that looks like this: dn: uid=zaphod$, ou=computers, dc=mydomain,dc=com sambaPrimaryGroupSID: S-1-5-21-1498823292-3530380933-788562438-515 sambaDomainName: MYDOMAIN displayName: zaphod$ objectClass: posixAccount objectClass: account objectClass: sambaSamAccount sambaLogonTime: 0 uid: zaphod$ uidNumber: 41328 cn: zaphod$ sambaLogoffTime: 2147483647 sambaPwdLastSet: 1267756286 sambaAcctFlags: [S ] loginShell: /bin/false gidNumber: 553 sambaPwdMustChange: 2147483647 sambaNTPassword: 3509E1ED1B7398134D9D429474E47386 sambaPwdCanChange: 0 sambaSID: S-1-5-21-1498823292-3530380933-788562438-83656 gecos: Computer description: Computer homeDirectory: /dev/null sambaKickoffTime: 2147483647 ALSO, I assume you are using some kind of
Re: [Samba] Samba/LDAP share issue -- user with invalid SID
2010/5/18 Alex McKenzie a...@chem.umass.edu: r...@sl1:/etc/samba# testparm Server role: ROLE_DOMAIN_PDC [global] workgroup = CHEMBMB domain logons = Yes preferred master = Yes domain master = Yes This is a standalone server providing file sharing, but not acting as a domain login controller: if I ever want that, I'll be building a different server for it. Hm!? Thanks to tms3 for the instructions: I'd been spinning my wheels for two weeks before his (her?) advice! Can you (or someone else) please explain this because either, I'm too dumb or too sleepy. From what I can see, your samba server IS a PDC. If you want SL1 to be a member of CHEMBMB, you need to: domain logons = No security = DOMAIN Then: # net rpc join ((or net ads join)) Am I missing something here? Thanks, Norberto -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba/LDAP share issue -- user with invalid SID
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 So no one has any guesses on this? I've found nothing new, so any help at all would be appreciated... - -Alex Alex McKenzie wrote: Greetings, While I've seen this referred to a lot of places, I haven't yet found a posted solution that works for me. Testing has been done from a Mac running OSX 10.5.8 Here's what I have so far: if anyone can give me a next step to test, I'd appreciate it. If anyone can give me a complete solution, I'd appreciate it even more. 8-) 1) An LDAP server mv, running Ubuntu 8.04 LTS. Samba is not installed. 2) A group file server sl1, running Ubuntu 8.04 LTS. LDAP is not installed. 3) Users can successfully authenticate to sl1 against LDAP when connecting via SSH. If their user directory exists (they have logged in via ssh) they can connect to their home directory through samba by connecting to smb://sl1.biochem.lgrt.nsm (a non-routable internal network), so I know samba is successfully connecting to the LDAP server. Traffic between the file server and the LDAP server is encrypted, as confirmed with tcpdump. 4) When attempting to access a group share, the connection is refused, and the following shows up in the samba logs: the share has users amckenzie and suzanne. [2010/05/06 15:51:24, 0] passdb/passdb.c:lookup_global_sam_name(596) User spalmer with invalid SID S-1-5-21-4167008922-1292391803-4044586981-21004 in passdb [2010/05/06 15:51:24, 0] passdb/passdb.c:lookup_global_sam_name(596) User amckenzie with invalid SID S-1-5-21-4167008922-1292391803-4044586981-21006 in passdb 5) All connections, successful or not, cause the following messages in the samba logs on sl1: [2010/05/06 16:31:33, 0] auth/auth_util.c:create_builtin_administrators(792) create_builtin_administrators: Failed to create Administrators [2010/05/06 16:31:33, 0] auth/auth_util.c:create_builtin_users(758) create_builtin_users: Failed to create Users [2010/05/06 16:31:33, 0] param/loadparm.c:widelinks_warning(5718) Share 'IPC$' has wide links and unix extensions enabled. These parameters are incompatible. Wide links will be disabled for this share. 6) On sl1, net getdomainsid returns the following: SID for domain SL1 is: S-1-5-21-1557386430-3227286864-500253393 SID for domain CHEMBMB is: S-1-5-21-4167008922-1292391803-4044586981 7) Users have both user and group SIDs in the form S-1-5-21-4167008922-1292391803-4044586981-[unique number], which is generated according to the rules the smbldap tools use. 8) testparm on sl1 returns the following: Load smb config files from /etc/samba/smb.conf Processing section [homes] Processing section [itadmins] Loaded services file OK. Server role: ROLE_STANDALONE Press enter to see a dump of your service definitions [global] workgroup = CHEMBMB server string = %h server (Samba, Ubuntu) map to guest = Bad User obey pam restrictions = Yes passdb backend = ldapsam:ldaps://multivac.chem.umass.edu pam password change = Yes passwd program = /usr/bin/passwd %u passwd chat = *Enter\snew\s*\spassword:* %n\n *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* . unix password sync = Yes syslog = 255 log file = /var/log/samba/log.%m max log size = 1000 dns proxy = No ldap admin dn = cn=admin,dc=cns ldap group suffix = ou=Chemistry groups ldap suffix = ou=Chemistry,dc=cns ldap ssl = no ldap user suffix = ou=Chemistry users usershare allow guests = Yes panic action = /usr/share/samba/panic-action %d invalid users = root [homes] comment = Home Directories read only = No browseable = No [itadmins] comment = Shared directory for the IT group path = /home/itadmins valid users = spalmer, amckenzie read only = No create mask = 0665 directory mask = 0775 Any advice would be appreciated -- I'm well beyond my understanding of samba at the moment, and my understanding of samba is well beyond what it was 48 hours ago. At the moment neither server is mission critical, so tests that take them temporarily off-line are possible. By early next week things will be authenticating against the LDAP server (we've got no choice -- the old LDAP server is failing fast), so I won't be able to take it down for testing. Thanks in advance, Alex McKenzie a...@chem.umass.edu -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.8 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEUEARECAAYFAkvxjXAACgkQWFYfIucpZ2OA2QCY5Ah0KkHwr2QGuCF/jCGf/dDr zwCfbXwvHr50j7vZZTuSJxLels7Izv8= =58HV -END PGP SIGNATURE- -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba/LDAP share issue -- user with invalid SID
SNIP SID for domain SL1 is: S-1-5-21-1557386430-3227286864-500253393 SID for domain CHEMBMB is: S-1-5-21-4167008922-1292391803-4044586981 7) Users have both user and group SIDs in the form S-1-5-21-4167008922-1292391803-4044586981-[unique number], which is generated according to the rules the smbldap tools use. You have two different domains. And the users are in CHEMBMB and the server is a member of SL1. Why not join SL1 to CHEMBMB? 8) testparm on sl1 returns the following: Load smb config files from /etc/samba/smb.conf Processing section [homes] Processing section [itadmins] Loaded services file OK. Server role: ROLE_STANDALONE Press enter to see a dump of your service definitions [global] workgroup = CHEMBMB server string = %h server (Samba, Ubuntu) map to guest = Bad User obey pam restrictions = Yes passdb backend = ldapsam:ldaps://multivac.chem.umass.edu pam password change = Yes passwd program = /usr/bin/passwd %u passwd chat = *Enter\snew\s*\spassword:* %n\n *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* . unix password sync = Yes syslog = 255 log file = /var/log/samba/log.%m max log size = 1000 dns proxy = No ldap admin dn = cn=admin,dc=cns ldap group suffix = ou=Chemistry groups ldap suffix = ou=Chemistry,dc=cns ldap ssl = no ldap user suffix = ou=Chemistry users usershare allow guests = Yes panic action = /usr/share/samba/panic-action %d invalid users = root [homes] comment = Home Directories read only = No browseable = No [itadmins] comment = Shared directory for the IT group path = /home/itadmins valid users = spalmer, amckenzie read only = No create mask = 0665 directory mask = 0775 Any advice would be appreciated -- I'm well beyond my understanding of samba at the moment, and my understanding of samba is well beyond what it was 48 hours ago. At the moment neither server is mission critical, so tests that take them temporarily off-line are possible. By early next week things will be authenticating against the LDAP server (we've got no choice -- the old LDAP server is failing fast), so I won't be able to take it down for testing. Thanks in advance, Alex McKenzie a...@chem.umass.edu -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.8 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEUEARECAAYFAkvxjXAACgkQWFYfIucpZ2OA2QCY5Ah0KkHwr2QGuCF/jCGf/dDr zwCfbXwvHr50j7vZZTuSJxLels7Izv8= =58HV -END PGP SIGNATURE- -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Samba/LDAP share issue -- user with invalid SID
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Greetings, While I've seen this referred to a lot of places, I haven't yet found a posted solution that works for me. Testing has been done from a Mac running OSX 10.5.8 Here's what I have so far: if anyone can give me a next step to test, I'd appreciate it. If anyone can give me a complete solution, I'd appreciate it even more. 8-) 1) An LDAP server mv, running Ubuntu 8.04 LTS. Samba is not installed. 2) A group file server sl1, running Ubuntu 8.04 LTS. LDAP is not installed. 3) Users can successfully authenticate to sl1 against LDAP when connecting via SSH. If their user directory exists (they have logged in via ssh) they can connect to their home directory through samba by connecting to smb://sl1.biochem.lgrt.nsm (a non-routable internal network), so I know samba is successfully connecting to the LDAP server. Traffic between the file server and the LDAP server is encrypted, as confirmed with tcpdump. 4) When attempting to access a group share, the connection is refused, and the following shows up in the samba logs: the share has users amckenzie and suzanne. [2010/05/06 15:51:24, 0] passdb/passdb.c:lookup_global_sam_name(596) User spalmer with invalid SID S-1-5-21-4167008922-1292391803-4044586981-21004 in passdb [2010/05/06 15:51:24, 0] passdb/passdb.c:lookup_global_sam_name(596) User amckenzie with invalid SID S-1-5-21-4167008922-1292391803-4044586981-21006 in passdb 5) All connections, successful or not, cause the following messages in the samba logs on sl1: [2010/05/06 16:31:33, 0] auth/auth_util.c:create_builtin_administrators(792) create_builtin_administrators: Failed to create Administrators [2010/05/06 16:31:33, 0] auth/auth_util.c:create_builtin_users(758) create_builtin_users: Failed to create Users [2010/05/06 16:31:33, 0] param/loadparm.c:widelinks_warning(5718) Share 'IPC$' has wide links and unix extensions enabled. These parameters are incompatible. Wide links will be disabled for this share. 6) On sl1, net getdomainsid returns the following: SID for domain SL1 is: S-1-5-21-1557386430-3227286864-500253393 SID for domain CHEMBMB is: S-1-5-21-4167008922-1292391803-4044586981 7) Users have both user and group SIDs in the form S-1-5-21-4167008922-1292391803-4044586981-[unique number], which is generated according to the rules the smbldap tools use. 8) testparm on sl1 returns the following: Load smb config files from /etc/samba/smb.conf Processing section [homes] Processing section [itadmins] Loaded services file OK. Server role: ROLE_STANDALONE Press enter to see a dump of your service definitions [global] workgroup = CHEMBMB server string = %h server (Samba, Ubuntu) map to guest = Bad User obey pam restrictions = Yes passdb backend = ldapsam:ldaps://multivac.chem.umass.edu pam password change = Yes passwd program = /usr/bin/passwd %u passwd chat = *Enter\snew\s*\spassword:* %n\n *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* . unix password sync = Yes syslog = 255 log file = /var/log/samba/log.%m max log size = 1000 dns proxy = No ldap admin dn = cn=admin,dc=cns ldap group suffix = ou=Chemistry groups ldap suffix = ou=Chemistry,dc=cns ldap ssl = no ldap user suffix = ou=Chemistry users usershare allow guests = Yes panic action = /usr/share/samba/panic-action %d invalid users = root [homes] comment = Home Directories read only = No browseable = No [itadmins] comment = Shared directory for the IT group path = /home/itadmins valid users = spalmer, amckenzie read only = No create mask = 0665 directory mask = 0775 Any advice would be appreciated -- I'm well beyond my understanding of samba at the moment, and my understanding of samba is well beyond what it was 48 hours ago. At the moment neither server is mission critical, so tests that take them temporarily off-line are possible. By early next week things will be authenticating against the LDAP server (we've got no choice -- the old LDAP server is failing fast), so I won't be able to take it down for testing. Thanks in advance, Alex McKenzie a...@chem.umass.edu -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.8 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAkvjKDIACgkQWFYfIucpZ2OKUQCeLuwQhp1dybJfktYHh3GX375o eGEAnip1TnApBIi/HqZar0zInN9DrmEO =hq2A -END PGP SIGNATURE- -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] samba, ldap, kerberos
samba-requ...@lists.samba.org wrote: Subject: Re: [Samba] samba, ldap, kerberos From: Natxo Asenjo natxo.ase...@gmail.com Date: Mon, 15 Feb 2010 09:42:18 +0100 To: Samba Mail List samba@lists.samba.org To: Samba Mail List samba@lists.samba.org On Mon, Feb 15, 2010 at 7:27 AM, Pramathesh Ambasta pramathesh.amba...@gmail.com wrote: Though I am not new to samba, I am new to this so will really appreciate guidance. If I want to implement a single sign on scheme using openldap and kerberos on a linux server, how can samba be integrated into this scheme? As far as I can understand from the docs, the discussions on samba and kerberos deal with samba integration into an active directory domain. Does that mean that what I am talking about cannot be done? take a look at samba 4. Check the installation instructions on the wiki: wiki.samba.org. As they state, it is not production ready (yet) but I find it quite stable. natxo THanks for your response Pramathesh -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] samba, ldap, kerberos
On Mon, Feb 15, 2010 at 7:27 AM, Pramathesh Ambasta pramathesh.amba...@gmail.com wrote: Though I am not new to samba, I am new to this so will really appreciate guidance. If I want to implement a single sign on scheme using openldap and kerberos on a linux server, how can samba be integrated into this scheme? As far as I can understand from the docs, the discussions on samba and kerberos deal with samba integration into an active directory domain. Does that mean that what I am talking about cannot be done? take a look at samba 4. Check the installation instructions on the wiki: wiki.samba.org. As they state, it is not production ready (yet) but I find it quite stable. natxo -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] samba, ldap, kerberos
Though I am not new to samba, I am new to this so will really appreciate guidance. If I want to implement a single sign on scheme using openldap and kerberos on a linux server, how can samba be integrated into this scheme? As far as I can understand from the docs, the discussions on samba and kerberos deal with samba integration into an active directory domain. Does that mean that what I am talking about cannot be done? Grateful for help Pramathesh -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba