[Samba] RE: SAMBA PDC User Permissions, Admin Settings, and Logon?
Thank you! This definitely fixed the mapping problem. Now if I could only make my logons TRULY roaming... Nolan Rob Savage wrote: Hey Nolan, I can easily give you an answer to I3 Issue 3: This is my main frustration - I cannot seem to block access to other peoples shares! EG user chrisg can access the nolan share, etc. [homes] comment = Home Directory for %u read only = No create mask = 0660 directory mask = 0770 browseable = No oplocks = No level2 oplocks = No Try adding these: Valid users = %U Path = /home/%u Guest ok = No --- Have an excellent day, Rob Savage -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Nolan Garrett Sent: February 24, 2003 11:49 AM To: [EMAIL PROTECTED] Subject: [Samba] SAMBA PDC User Permissions, Admin Settings, and Logon? Hi all! First off, I'd like to thank you for the help you've previously given me. I'd like to state a few of the problems I am now experiencing, and you all can provide insight. I've read all the documentation I can find and have surfed the archives for this newsgroup, but to no avail. Any help would be greatly appreciated! (I am using SAMBA 2.2.7) Issue 1: If I don't have every user listed in the admin users = section that I want to allow logon access, they cannot log on. I usually get a domain unavailable error. Issue 2: If I don't set up each user account (w/ domain) on the WinXP machine I want to logon to, I get some kind of very, very limited logon. It almost seems to be corrupted. Issue 3: This is my main frustration - I cannot seem to block access to other peoples shares! EG user chrisg can access the nolan share, etc. Final Issue: Not a big problem, but I can't figure out how to set up the CUPS drivers for the pdf-generator. Is it a winbind problem, bad config, or am I just a moron? Attached is my smb.conf # Samba config file created using SWAT # from gridlock.workgroup.net (192.168.0.5) # Date: 2003/02/24 18:08:30 # Global parameters [global] netbios name = MAIN server string = Samba Server %v encrypt passwords = Yes passwd program = /usr/bin/passwd %u passwd chat = *New*UNIX*password* %n\n *Retype*new*UNIX*password * %n\n *Enter*new*UNIX*password* %n\n *Retype*new*UNIX*password* %n\n *p asswd: *all*authentication*tokens*updated*succesfully* unix password sync = Yes log level = 1 log file = /var/log/samba/log.%m max log size = 50 socket options = TCP_NODELAY IPTOS_LOWDELAY SO_KEEPALIVE SO_RCVBU F=8192 SO_SNDBUF=8192 printcap name = cups domain admin group = @admins add user script = /usr/sbin/useradd -d /dev/null -g machines -s /bin /false -M %u logon script = %U.bat logon path = \\main\profiles\%U logon drive = Z: logon home = \\main\%U\.profile domain logons = Yes os level = 99 domain master = Yes dns proxy = No wins support = Yes winbind uid = 1-2 winbind gid = 1-2 ; valid users = ahayes root danielleg chrisg rickg nolan admin users = root nolan chrisg rickg danielleg alyssag printer admin = nolan root hosts allow = 192.168.0. 127. ; profile acls = Yes printing = cups [homes] comment = Home Directory for %u read only = No create mask = 0660 directory mask = 0770 browseable = No oplocks = No level2 oplocks = No [netlogon] comment = Network Logon Service path = /var/lib/samba/netlogon write list = root nolan [profiles] path = /var/lib/samba/profiles read only = No create mask = 0600 directory mask = 0700 guest ok = Yes browseable = No csc policy = disable [printers] comment = All Printers path = /var/spool/samba printer admin = root nolan guest ok = Yes printable = Yes browseable = No [print$] comment = Printer Drivers path = /etc/samba/drivers write list = root nolan [pdf-generator] comment = PDF Generator (only valid users!) path = /var/tmp printable = Yes print command = /usr/share/samba/scripts/print-pdf %s ~%u %L %u %m [public] comment = Public path = /home/samba/public read only = No guest ok = Yes -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] pdc
What does the script looks like that creates the machine accounts? Sounds like the machine account isn't getting created quite right. It might be okay enough for 2k but not xp? Yes, let us know what you find out Bob - Original Message - From: ryan oberto [EMAIL PROTECTED] To: samba [EMAIL PROTECTED] Sent: Tuesday, February 25, 2003 1:55 AM Subject: [Samba] pdc howdie all ive got a pdc server with win 2000 machines connecting to it fine but when i put on a win XP machine it accepts me to the domain and creates a machine account but when i try log onto the domain i get domain controller down or unavailable or your machine account not found if this problem persists please contact your system administrator i have build a redhat and a gentoo server but still the same any ideas thanks ryan -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] re: Samba PDC shared applications and a default start menuprofile (Kevin S. Brackett)
Hi I'm currently doing exactly this for several sites. Within Win2K and above it is possible to configure Local Group Policy Objects, so that the ALLUSERPROFILES value is pointed to %LOGONSERVER%\Software\Documents and Settings\All Users\Start Menu Thus when a user logs in, they see the the menus stored in their profile, overlayed by these on the Network Drives. The using the same techniques used by tools such as SMS, and InstallRite, applications are wrapped and installed onto a Network only Drive. When a user clicks on the Application Icon, pointed to by the ALLUSERPROFILE Menu tree, the application is installed. So far, we've been able to wrapp most applications this way, from vendors such as Borland, Adobe, MacroMedia and Microsoft. For details of this http://www.appdeploy.com has more details of how to do this. Please note this doesn't work for all applications, for instance MicroSoft Office need some neat tricks to ensure that it installs a few things which need to be on the local C: Hopes this helps Edmund -- Edmund J. Sutcliffe Thoughtful Solutions; Creatively [EMAIL PROTECTED] Implemented and Communicated http://panic.fluff.org+44 (0) 7976 938841 -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
RE: [Samba] pdc win2k sp3 clients/samba 2.27a/redhat 8.0 got itworking now !
OK guys, After beating my head I got it to work !! I setup a new test machine with redhat 8.0 and used the stock samba in it 2.25-10 build. This seems to work like a charm and I was able to go through with it with out a problem. Go figure why the compiled version 2.27a just didn't want to work? Anyways I found a doc off of the Linuxtoday.com site that some girl named Carla put together. I will take her text and make a new step by step manual for everyone based on my experience. Thanks for everyones help. Raj -Original Message- From: mark [mailto:[EMAIL PROTECTED]] Sent: Tuesday, February 11, 2003 12:51 AM To: Raj Saxena; [EMAIL PROTECTED] Subject: Re: [Samba] pdc help needed with win2k sp3 clients/samba 2.27a/redhat 8.0 On Tuesday 11 February 2003 07:52, Raj Saxena wrote: Does anyone have any good docs as to what clients work and with what service pack? I know some guys have had luck with debian, and win2ksp3. We have 17 clients in one building and then I would need to bring up two bdc (samba servers) if possible for the remote locations. It sounds like you've done your homework, but this is quite a good document in case you haven't seen it. http://hr.uoregon.edu/davidrl/samba/samba-pdc.html#pdc I know it's possible to connect a w2k machine to a samba pdc as I've done it. Which is not to say anything about you, but just to confirm that it is actually possible. Good luck, mark --- Incoming mail is certified Virus Free. Checked by AVG anti-virus system (http://www.grisoft.com). Version: 6.0.449 / Virus Database: 251 - Release Date: 1/27/2003 --- Outgoing mail is certified Virus Free. Checked by AVG anti-virus system (http://www.grisoft.com). Version: 6.0.449 / Virus Database: 251 - Release Date: 1/27/2003 -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] pdc help needed with win2k sp3 clients/samba2.27a/redhat 8.0
On Tuesday 11 February 2003 07:52, Raj Saxena wrote: Does anyone have any good docs as to what clients work and with what service pack? I know some guys have had luck with debian, and win2ksp3. We have 17 clients in one building and then I would need to bring up two bdc (samba servers) if possible for the remote locations. It sounds like you've done your homework, but this is quite a good document in case you haven't seen it. http://hr.uoregon.edu/davidrl/samba/samba-pdc.html#pdc I know it's possible to connect a w2k machine to a samba pdc as I've done it. Which is not to say anything about you, but just to confirm that it is actually possible. Good luck, mark -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] pdc
On Thu, 2003-02-06 at 04:39, Ryan oberto wrote: howdie all i have a samba pdc server runnnig 3 instances of samba 1 for each different domain it works but i cant add a machine to a domain if the domain doesnt start first and now after 3 days i get service netlogon not running on the window machines can anybody tell me why windows only works properly with the first domain that starts I've never tried this but I'll speculate if you like (take it for what it's worth...) Since the domain joining occurs via rpc i'm guessing that all three sambas are listening (or trying to listen) on the same network address. I don't know how to explain the netlogon premature death Have you multihomed this machine? I think you'd have to at least use ip aliasing and make samba use and interfaces only statement to get this working. This might be one for samba-technical. brad -- Bradley W. Langhorst [EMAIL PROTECTED] -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] PDC and BDC
On Wed, 2003-01-22 at 14:33, Sascha Bieler wrote: Hi @ all, can someone tell me please if I have to synchronise the samba-password-file when I have a PDC and a BDC running? yes you do. or you could use ldap and replication... Situation: All machines have trustee accounts on the pdc and like to log on the bdc. Does the bdc know about the users from pdc when I set up the 'password server'-parameter? it can use the pdc to authenticate users but then what's the point of a bdc? brad -- Bradley W. Langhorst [EMAIL PROTECTED] -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] PDC.
I have to say that my client have an entry in smbpasswd file made with -m option of smbpasswd command. And all this computer is known by my DNS with Netbios name. -- Fabien COMBERNOUS - IT Engineer eProcess - Parc Club du Millénaire Batiment n° 6 1025 rue Henri Becquerel - 34000 Montpellier FRANCE http://www.eprocess.tv - +33 (0)4 67 13 84 50 -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
RE: [Samba] PDC.
Fabien, When you are asked for a user name and password when adding a workstation to the domain controller, do not use Administrator, instead use root (no quotes in your response) as the user name and the appropriate password for root. This should help. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Fabien Combernous Sent: Wednesday, January 15, 2003 4:59 AM To: [EMAIL PROTECTED] Subject: [Samba] PDC. Lo, I'm wanting to set up a samba pdc with win2k stations. Actually when a when to add a station in the domaine i have configurer on my samba server i have this type of answer in client side : immpossible to enter in this domaine becuase user or passwd is not correct. So but i have in smbd log : this in first : [2003/01/14 19:09:36, 4] smbd/password.c:smb_password_ok(467) smb_password_ok: Checking SMB password for user administrateur [2003/01/14 19:09:36, 5] smbd/password.c:smb_password_ok(481) smb_password_ok: challenge received [2003/01/14 19:09:36, 4] smbd/password.c:smb_password_ok(491) smb_password_ok: Checking NT MD4 password [2003/01/14 19:09:36, 4] smbd/password.c:smb_password_ok(493) smb_password_ok: NT MD4 password check succeeded this is second : [2003/01/14 19:21:14, 2] passdb/pdb_smbpasswd.c:startsmbfilepwent(170) startsmbfilepwent_internal: unable to open file /etc/samba/smbpasswd. Error was Permission denied [2003/01/14 19:21:14, 0] passdb/pdb_smbpasswd.c:pdb_getsampwrid(1416) unable to open passdb database. [2003/01/14 19:21:14, 5] rpc_parse/parse_prs.c:prs_debug(60) 00 samr_io_r_set_userinfo [2003/01/14 19:21:14, 5] rpc_parse/parse_prs.c:prs_ntstatus(588) status: NT_STATUS_ACCESS_DENIED [2003/01/14 19:21:14, 5] rpc_server/srv_pipe.c:api_rpcTNP(1218) api_rpcTNP: called api_samr_rpc successfully My configuration file is : [global] workgroup = EPROCESS server string = e'process Samba Server invalid users = root log file = /var/log/samba/log.%m max log size = 1000 syslog = 0 smb passwd file = /etc/samba/smbpasswd security = user encrypt passwords = true socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 domain logons = yes local master = yes os level = 99 domain master = yes preferred master = yes wins support = yes dns proxy = yes Any idea ? What is wrong ? Any help will be appreciated :o) Thank's Fabien. -- Fabien COMBERNOUS - IT Engineer eProcess - Parc Club du Millénaire Batiment n° 6 1025 rue Henri Becquerel - 34000 Montpellier FRANCE http://www.eprocess.tv - +33 (0)4 67 13 84 50 -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] PDC.
When i'm with root user client side say that my network passwd is wrong. My pdc server side say NT_STATUS_WRONG_PASSWORD. Buy i have verified my passwd i am sure of my passwd. I have put same passwd on system and samba. Same message is given. Any idea ? Don Zajic wrote: Fabien, When you are asked for a user name and password when adding a workstation to the domain controller, do not use Administrator, instead use root (no quotes in your response) as the user name and the appropriate password for root. This should help. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Fabien Combernous Sent: Wednesday, January 15, 2003 4:59 AM To: [EMAIL PROTECTED] Subject: [Samba] PDC. Lo, I'm wanting to set up a samba pdc with win2k stations. Actually when a when to add a station in the domaine i have configurer on my samba server i have this type of answer in client side : immpossible to enter in this domaine becuase user or passwd is not correct. So but i have in smbd log : this in first : [2003/01/14 19:09:36, 4] smbd/password.c:smb_password_ok(467) smb_password_ok: Checking SMB password for user administrateur [2003/01/14 19:09:36, 5] smbd/password.c:smb_password_ok(481) smb_password_ok: challenge received [2003/01/14 19:09:36, 4] smbd/password.c:smb_password_ok(491) smb_password_ok: Checking NT MD4 password [2003/01/14 19:09:36, 4] smbd/password.c:smb_password_ok(493) smb_password_ok: NT MD4 password check succeeded this is second : [2003/01/14 19:21:14, 2] passdb/pdb_smbpasswd.c:startsmbfilepwent(170) startsmbfilepwent_internal: unable to open file /etc/samba/smbpasswd. Error was Permission denied [2003/01/14 19:21:14, 0] passdb/pdb_smbpasswd.c:pdb_getsampwrid(1416) unable to open passdb database. [2003/01/14 19:21:14, 5] rpc_parse/parse_prs.c:prs_debug(60) 00 samr_io_r_set_userinfo [2003/01/14 19:21:14, 5] rpc_parse/parse_prs.c:prs_ntstatus(588) status: NT_STATUS_ACCESS_DENIED [2003/01/14 19:21:14, 5] rpc_server/srv_pipe.c:api_rpcTNP(1218) api_rpcTNP: called api_samr_rpc successfully My configuration file is : [global] workgroup = EPROCESS server string = e'process Samba Server invalid users = root log file = /var/log/samba/log.%m max log size = 1000 syslog = 0 smb passwd file = /etc/samba/smbpasswd security = user encrypt passwords = true socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 domain logons = yes local master = yes os level = 99 domain master = yes preferred master = yes wins support = yes dns proxy = yes Any idea ? What is wrong ? Any help will be appreciated :o) Thank's Fabien. -- Fabien COMBERNOUS - IT Engineer eProcess - Parc Club du Millénaire Batiment n° 6 1025 rue Henri Becquerel - 34000 Montpellier FRANCE http://www.eprocess.tv - +33 (0)4 67 13 84 50 -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] PDC.
Finaly i added an X juste after U in smbpasswd file and now root can access my domaine. But all other users can't. I don't know what to change to get good permission. root:0:passwd_type1:passwd_type2:[UX ]:LCT-number:root ^ i added this X Don Zajic wrote: Fabien, When you are asked for a user name and password when adding a workstation to the domain controller, do not use Administrator, instead use root (no quotes in your response) as the user name and the appropriate password for root. This should help. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Fabien Combernous Sent: Wednesday, January 15, 2003 4:59 AM To: [EMAIL PROTECTED] Subject: [Samba] PDC. Lo, I'm wanting to set up a samba pdc with win2k stations. Actually when a when to add a station in the domaine i have configurer on my samba server i have this type of answer in client side : immpossible to enter in this domaine becuase user or passwd is not correct. So but i have in smbd log : this in first : [2003/01/14 19:09:36, 4] smbd/password.c:smb_password_ok(467) smb_password_ok: Checking SMB password for user administrateur [2003/01/14 19:09:36, 5] smbd/password.c:smb_password_ok(481) smb_password_ok: challenge received [2003/01/14 19:09:36, 4] smbd/password.c:smb_password_ok(491) smb_password_ok: Checking NT MD4 password [2003/01/14 19:09:36, 4] smbd/password.c:smb_password_ok(493) smb_password_ok: NT MD4 password check succeeded this is second : [2003/01/14 19:21:14, 2] passdb/pdb_smbpasswd.c:startsmbfilepwent(170) startsmbfilepwent_internal: unable to open file /etc/samba/smbpasswd. Error was Permission denied [2003/01/14 19:21:14, 0] passdb/pdb_smbpasswd.c:pdb_getsampwrid(1416) unable to open passdb database. [2003/01/14 19:21:14, 5] rpc_parse/parse_prs.c:prs_debug(60) 00 samr_io_r_set_userinfo [2003/01/14 19:21:14, 5] rpc_parse/parse_prs.c:prs_ntstatus(588) status: NT_STATUS_ACCESS_DENIED [2003/01/14 19:21:14, 5] rpc_server/srv_pipe.c:api_rpcTNP(1218) api_rpcTNP: called api_samr_rpc successfully My configuration file is : [global] workgroup = EPROCESS server string = e'process Samba Server invalid users = root log file = /var/log/samba/log.%m max log size = 1000 syslog = 0 smb passwd file = /etc/samba/smbpasswd security = user encrypt passwords = true socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 domain logons = yes local master = yes os level = 99 domain master = yes preferred master = yes wins support = yes dns proxy = yes Any idea ? What is wrong ? Any help will be appreciated :o) Thank's Fabien. -- Fabien COMBERNOUS - IT Engineer eProcess - Parc Club du Millénaire Batiment n° 6 1025 rue Henri Becquerel - 34000 Montpellier FRANCE http://www.eprocess.tv - +33 (0)4 67 13 84 50 -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] Re: samba PDC and windows xp profiles...
OK, after downloading the entire source for Samba 2.2.7a and compiling, instead of simply patching up to 2.2.7a, I no longer have the issue of writing to the Cookies folder in the win9x profile. There is an issue with the win9x machine not shutting down, but that may be a machine issue, so I will troubleshoot that some more. However, the winXP is getting a new error which I am not 100% sure about: Windows did not load your roaming profile and is attempting to log you on with your local profile. Changes to profile will not be copied to the server when you log off. Windows did not load your profile because a server copy of the profile folder already exists that does not have the correct security. Either the current user or the Administrator's group must be the owner of the folder. Contact your network administrator. Again, here is the smb.conf and ls -l of the profiles folder: drwxrwxrwt4 root users4096 Dec 9 16:28 profiles and profiles/ drwxrwxrwx2 banderso geo 4096 Dec 6 17:05 banderson (Obviously, the username is banderson, and the users group is geo (the grp ownership was root, to begin with, but I changed it to geo and got the same error) smb.conf: # Samba config file created using SWAT # from 0.0.0.0 (0.0.0.0) # Date: 2002/11/17 15:45:04 # Global parameters [global] ; Basic server settings workgroup = REEDNET netbios name = REGMAIN security = USER ; we should act as the domain and local master browser os level = 65 domain master = yes local master = yes preferred master = yes ; encrypted passwords are a requirement for a PDC encrypt passwords = yes ; support domain logons domain logons = yes ; where to store user profiles? logon path = \\%L\profiles\%U ; where is a user's home directory and where should it ; be mounted at? logon drive = x: logon home = \\%L\%U\.profile ; needed for win9x profiles preserve case = yes short preserve case = yes case sensitive = no ; specify a generic logon script for all users ; this is a relative **DOS** path to (from) the [netlogon] share logon script = logon.bat ; specific password (lack of) requirements min passwd length = 0 null passwords = yes passwd program = /usr/bin/passwd -u %u unix password sync = yes ; Logging options log level = 3 log file = /usr/local/samba/var/log.%m max log size = 50 ; Tuning options deadtime = 15 keepalive = 0 ; Special users and handlers domain admin group = root amccaleb message command = /bin/mail -s 'message from %f on %m' root %s; rm %s hide local users = no admin users = root amccaleb wins support = yes add user script = /usr/sbin/useradd -d /dev/null -g 110 -s /bin/false -M %u [homes] path = %H valid users = %S read only = no guest ok = no create mask = 0777 directory mask = 0777 browseable = yes level2 oplocks = yes dos filetimes = yes ; share for storing nt/2k/xp user profiles [profiles] path=/srv/profiles read only = no create mask = 0777 directory mask = 0777 nt acl support = no browseable = yes [netlogon] path = /srv/netlogon read only = yes write list = root amccaleb -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
RE: [Samba] PDC: Problems making the win2k client join domain
Try adding root to smbpasswd and then when adding the domain use root and root's passwd. -Original Message- From: akshay rawat [mailto:[EMAIL PROTECTED]] Sent: Monday, December 09, 2002 3:07 AM To: [EMAIL PROTECTED] Subject: [Samba] PDC: Problems making the win2k client join domain I am having problems making the client win2k machine join the domain . My Samba PDC is configured as follows : 1added trust account to the smbpasswd file (account to the win2k machine name). 2set the global admin parameter to student (student acnt exists on smb server) Client is configured as follows : 1user 'student' has been created . Problem : When I change the option of workgroup to domain , the Win2k client is able to recognize the domain but it is giving problems authenticating the usename/passwwd . Which username/passwd am i supposed to give here . The manual that the samba administrative usrname/passwd should be given here , is this the global admin parameter = student usrname/passwd earlier set in the samba PDC or is it something else ? I`m using Samba 2.2.3a .The error message shown is 'unknown username or bad password'. Thank You , Akshay -- __ http://www.linuxmail.org/ Now with POP3/IMAP access for only US$19.95/yr Powered by Outblaze -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] PDC Problems...
On Sun, Nov 24, 2002 at 01:09:02AM +, Brett Cook wrote: I've checked all the settings in the smb.conf against the man pages, all seem correct. What else could I be missing? Why can't it see the server? At the samba maschine command line: Is the client pc pingable? Is there a running firewall config which permits/denies services? Can you access via smbclient your samba machine? smbclient //tatty/root -U root -W THEMOLE Make sure that root is a valid smnbpasswd account. If one of the answers is no, you have a local problem (networking/sambaconfig). What unix/linux do you use? What samba version do you use? Do you compile Samba by your self or have you installed a package from your distri? If you have installed ap package, which one (fullname). -- Frank Matthieß[EMAIL PROTECTED] -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] PDC Problems...
I've checked all the settings in the smb.conf against the man pages, all seem correct. What else could I be missing? Why can't it see the server? The following is my config file. /etc/samba/smb.conf [global] workgroup = THEMOLE netbios name = TATTY netbios aliases = PDC server string = Samba Server %v encrypt passwords = Yes log file = /var/log/samba/log.%m max log size = 50 printcap name = lpstat domain logons = Yes os level = 64 preferred master = Yes domain master = Yes dns proxy = No wins support = Yes preload = pdf-generator printing = cups security = user local master = yes [homes] comment = Home Directories read only = No browseable = No [print$] path = /var/lib/samba/printers write list = @adm root [pdf-generator] comment = PDF Generator (only valid users) path = /var/tmp printable = Yes print command = /usr/share/samba/scripts/print-pdf %s ~%u %L%u %m %I [netlogon] path = /home/netlogon write list = root -- ::TheMole::. did i mistake your words? did i betray your well worn trust? http://themole.yi.org ~ http://www.buhsnarf.net -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] PDC Problems...
On Sat, 2002-11-23 at 20:09, Brett Cook wrote: I don't see an obvious problem with your conf file... the nmbd log you posted looks okay too. please post the log.smbd of a machine trying to join the domain. what kind of failure do you see? does it fail to log on, what is the client, etc? brad -- Bradley W. Langhorst [EMAIL PROTECTED] -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] PDC Problems...
On Thu, Nov 21, 2002 at 03:49:16PM +, [EMAIL PROTECTED] wrote: I've added all those and still no joy :( Any other hints? Do you use the docu from the Samba howto collection? Did you check your running config (get this with testparm) and verified it against docu and man smb.conf. -- Frank Matthieß[EMAIL PROTECTED] -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] PDC Problems...
On Fri, Nov 22, 2002 at 02:34:18PM +, [EMAIL PROTECTED] wrote: Just saw this in my System log. Nov 22 14:20:09 nmbd query_name: Failed to send packet trying to query name THEMOLE1d (with the 1d on the end) 1d is for local master browser. Samba-HOWTO-Collection.pdf section 2.3 page 9 (14/88) In my first answer i give you the hint to add local master broswer = yes. Do you forgot this in your smb.conf? Please make a crosscheck from your actual samba config(no - not the smb.conf, try testparm to get _all_ parm's) and the Samba-HOWTO-Collection.pdf. Do a testparm samba.config. You must press _one_ key to dump this to the file ;-) It will save a loot of your time if you check all unknown parm's in testparm output with man smb.conf in another console/terminal window. I've learned much about samba with this crosscheck. Every parameter you don't understand will left with default values. What's that about? Could it have something to do with anything? I think so. Please make sure that your samba server is the only pdc for THEMOLE and the only one wins server for your network. Are there runnning nt server systems? Do the serve wins or the domain? There can only by one wins server in your network. samba is abelt to use a nt wins server with the globale smb.conf parm wins server. It is preferred to use the nt winsserver if you have one. Thanks. This questions should be send to the sambalist, because this is helpfull for all other new people, which want to setup a samba server as pdc. For you there is a better chance to get approbiate answers. Think about timzone diff's ;-). -- Frank Matthieß[EMAIL PROTECTED] -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] PDC Problems...
On Thu, Nov 21, 2002 at 02:30:05PM +, [EMAIL PROTECTED] wrote: Hi all, I've looked through the archives and I can't seem to find a solution, so here's my problem. I have three Win2k clients and one Samba server which I set up as a PDC (or at least I thought so.) The domain is THEMOLE yet when I try to join the domain from the clients it says; The following error occured validaing the name THEMOLE The specified domain either does not exist or could not be contacted. I've included my smb.conf below and was just wondering if I've done something stupidly wrong? Add security = user. In samba 2.2 this is default. Thanks in advance. --- My smb.conf is : # Global parameters [global] workgroup = THEMOLE netbios name = TATTY netbios aliases = PDC server string = Samba Server %v encrypt passwords = Yes log file = /var/log/samba/log.%m max log size = 50 printcap name = lpstat domain logons = Yes Ack. os level = 64 Ack. preferred master = True True? I prefer Yes, possibly it run's with True. Check with the testparm command, all settings as you expect. domain master = True Yes. Add local master = Yes. Take a look in Samba-HOWTO-Collection.pdf Page 49/88 dns proxy = No wins support = Yes Ack. Make sure that your clients will use this wins server. Frank. -- Frank Matthieß[EMAIL PROTECTED] -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] PDC Problems
I got the problem clear: when i try to join the domain (as root) smb reports in the machine log that guest is trying to do something and it fails authentication... I partially fixed it mapping the guest user on root but this's not what security manuals suggest ;-) Hope someone can clarify me now... bye by(t)e[s]TuX! -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] PDC Problems
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Michele Santucci wrote: I got the problem clear: when i try to join the domain (as root) smb reports in the machine log that guest is trying to do something and it fails authentication... You never mentioned that you couldn't join the domain. You should get a Welcome to the Domain Domain message if it worked. I now assume you didn't get one. Please remember, the more information you give about your problem, the easier it is for other people to help you. I partially fixed it mapping the guest user on root but this's not what security manuals suggest ;-) Hope someone can clarify me now... bye by(t)e[s]TuX! Can you connect normally to the server as root? $ smbclient -L server_name -U root (you can try this on the server itself). If not, you need to add an smbpasswd for root. As root, do: # smbpasswd -a Then try it again. If it works, you should now be able to join the domain. This is all covered in the documetation that ships with samba, and the webpage I sent a link to you about: http://ranger.dnsalias.com/mandrake/muo/connect/csamba6.html Regards, Buchan - -- |Registered Linux User #182071-| Buchan MilneMechanical Engineer, Network Manager Cellphone * Work+27 82 472 2231 * +27 21 8828820x121 Stellenbosch Automotive Engineering http://www.cae.co.za GPG Key http://ranger.dnsalias.com/bgmilne.asc 1024D/60D204A7 2919 E232 5610 A038 87B1 72D6 AC92 BA50 60D2 04A7 -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.1 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQE925tFrJK6UGDSBKcRAiWMAJ446EqOEN4pMQA5MgsJ5PF6ZGom+QCghDCu IYZuihUfFVckmxIymvjSdiQ= =PVY5 -END PGP SIGNATURE- -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] PDC Problems
Michele Santucci wrote: I got the problem clear: when i try to join the domain (as root) smb reports in the machine log that guest is trying to do something and it fails authentication... You never mentioned that you couldn't join the domain. You should get a Welcome to the Domain Domain message if it worked. I now assume you didn't get one. Not at all I got the Welcome to the domain CCGM but in the logs I got this: [2002/11/20 19:57:44, 0] smbd/service.c:make_connection(381) make_connection: root logged in as admin user (root privileges) [2002/11/20 19:57:44, 2] rpc_server/srv_samr_nt.c:_samr_lookup_domain(2050) Returning domain sid for domain CCGM - S-1-5-21-739079523-194949929-328313008 3 [2002/11/20 19:57:46, 0] smbd/password.c:authorise_login(863) authorise_login: rejected invalid user guest [2002/11/20 19:57:47, 2] smbd/service.c:make_connection(331) Invalid username/password for ipc$ [guest] [2002/11/20 19:58:45, 0] smbd/password.c:authorise_login(863) authorise_login: rejected invalid user guest [2002/11/20 19:58:45, 2] smbd/service.c:make_connection(331) Invalid username/password for ipc$ [guest] [2002/11/20 19:59:46, 2] smbd/server.c:exit_server(461) Closing connections All these lines comes during the domain joining of the workstation.. Please remember, the more information you give about your problem, the easier it is for other people to help you. Of course... that's the way I 'd attached the smb.conf file :-) (this time I wrote it by hand with pico) $ smbclient -L server_name -U root yep and I got this: Domain=[CCGM] OS=[Unix] Server=[Samba 2.2.6] Sharename Type Comment - --- public Disk Public Folder ccgm Disk CCGM Folder satyagra Disk Satya Gra Folder IPC$ IPC IPC Service (Samba Server 2.2.6) ADMIN$ Disk IPC Service (Samba Server 2.2.6) root Disk Home Directories Server Comment ---- ARCHIVIO CCGMSERVER Samba Server 2.2.6 GFX RECEPTION SERVER-CCGM Samba Server 2.2.6 VIDEO WorkgroupMaster ---- CCGM CCGMSERVER WORKGROUPGFX smb.conf Description: Binary data
Re: [Samba] PDC Problems 2
BTW if I try to login after having 'sucessfully' joined the domain and rebooted the system I got this: Cannot login! The remote user doesn't exist and/or the password is invalid (with every user registered onto the pdc) P.S. I patched the workstation (W2K SP3) with the plainpassword.reg fix... C.ya -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] PDC Problems 2
On Wed, 20 Nov 2002, Michele Santucci wrote: BTW if I try to login after having 'sucessfully' joined the domain and rebooted the system I got this: Cannot login! The remote user doesn't exist and/or the password is invalid (with every user registered onto the pdc) P.S. I patched the workstation (W2K SP3) with the plainpassword.reg fix... Sorry. Domain security is NOT compatible with plain-text password only servers. You need to enable encrypted passwords and enter each machine and user into your smbpasswd database. Follow the directions in the Entire-HOWTO-Collection on the samba home page. - John T. -- John H Terpstra Email: [EMAIL PROTECTED] -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] PDC Problems
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Message: 18 From: Michele Santucci [EMAIL PROTECTED] To: Samba [EMAIL PROTECTED] Date: Mon, 18 Nov 2002 21:34:13 +0100 Subject: [Samba] PDC Problems Hello, That's what I got trying to join a Win2K workstation to my domain (managed by a linux/samba server), after I joined the domain the system refuse to logon/add any domain user reporting a trust relationship failure... 1) All the clients are Windows 2000 sp3 machines (tcp + netbeui) 2) Linux server use a Mandrake 8.2 pro suite running samba 2.2.6 /etc/passwd video$:x:504:421:Machine Account:/dev/null:/bin/false /etc/samba/smbpasswd video$:504:DD8EB67612E73F3842517E31664A1C6C:BC3911425DC8A72332F814FC212ABE91 :[W ]:LCT-3DD8E642: ^ seems like it created the machine account correctly [root@server samba]# more log.video [2002/11/18 14:08:17, 0] smbd/service.c:make_connection(381) make_connection: root logged in as admin user (root privileges) As long as I add machine accounts it just show this [2002/11/18 14:09:18, 0] smbd/password.c:authorise_login(863) authorise_login: rejected invalid user guest [2002/11/18 14:10:30, 0] smbd/password.c:authorise_login(863) authorise_login: rejected invalid user guest these lines appear after the procedure created the machine account and I try to add a new local account (called michele) taking it from the domain. Explain this more please. Are you trying to log in with a domain account that exists on the samba server, which has been given an smbpasswd? The user is being mapped to 'guest' which seems to not exist. [root@server samba]# more log.smbd [2002/11/18 14:06:42, 0] smbd/server.c:main(707) smbd version 2.2.6 started. Copyright Andrew Tridgell and the Samba Team 1992-2002 [2002/11/18 14:07:42, 0] smbd/server.c:open_sockets(238) Got SIGHUP This's my CONFIGURATION file ... [root@server samba]# more /etc/samba/smb.conf # Samba config file created using SWAT # from 0.0.0.0 (0.0.0.0) # Date: 2002/11/18 13:52:01 # Global parameters [global] workgroup = CCGM-DOM netbios name = CCGM-SERVER server string = Samba Server %v encrypt passwords = Yes update encrypted = Yes null passwords = Yes pam password change = Yes You may want to disable unix password sync and pam password change until you have this working. You haven't got a 'passwd chat' configured, which could cause this to fail. username map = /etc/samba/smbusers unix password sync = Yes admin log = Yes log file = /var/log/samba/log.%m max log size = 50 time server = Yes socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 printcap name = lpstat domain admin group = @smb-admin domain guest group = @users add user script = /usr/sbin/useradd -d /dev/null -g machines -c 'Machine Account' -s /bin/false -M %u domain logons = Yes os level = 64 preferred master = Yes domain master = Yes wins proxy = Yes wins support = Yes guest account = guest valid users = @smb-admin @ccgm @satyagra admin users = @smb-admin read list = @ccgm @satyagra write list = @smb-admin printer admin = @smb-admin printing = cups [homes] comment = Home Directories read only = No browseable = No [printers] comment = All Printers path = /var/spool/samba create mask = 0700 guest ok = Yes printable = Yes print command = lpr-cups -P %p -o raw %s -r # using client side printer drivers. browseable = No [print$] path = /var/lib/samba/printers write list = @smb-admin - -- |Registered Linux User #182071-| Buchan MilneMechanical Engineer, Network Manager Cellphone * Work+27 82 472 2231 * +27 21 8828820x121 Stellenbosch Automotive Engineering http://www.cae.co.za GPG Key http://ranger.dnsalias.com/bgmilne.asc 1024D/60D204A7 2919 E232 5610 A038 87B1 72D6 AC92 BA50 60D2 04A7 -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.1 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQE92gi9rJK6UGDSBKcRAjgsAKDDTIkG6nlPjohDHtP6mDlzXg7X7wCgrSwU fmYQJKCcYdUK7wp7er5ILAo= =WU74 -END PGP SIGNATURE- -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] PDC Problems
Ok this time I attached all the involved files. I try to explain the incident from the very beginning: I have a linux server (Mandrake Pro Suite 8.2 updated to the latest fixes etc.) I removed the supplied 2.2.3 samba distrib. and reinstalled the new 2.2.6 (mandrake 8.2 rpm taken from the binary distribution of samba.org), the attached smb.conf show how I set it up to act as a PDC. The domain must be CCGM and the server netbios name CCGM-SERVER I just added an alias for backward compatibilities... I created all the users (since we have two distinct kind of users I created two groups i.e. ccgm and satyagra) and 'passed' everyone to smbpasswd. Now I have to join a W2K PRO SP3 workstation called 'video' to this domain, it run just TCP/IP (no NETBeui neither IPX). Before attempting to join the domain I set the workstation to act as a standalone pc then rebooted it (I also restarted smbd nmbd) I logged in as administrator, then I start the network ID configuration (I supplied root as the username (with it's password) VIDEO as the computer name and CCGM as the domain name), the procedure goes on haging a little just before the last step after that I found these lines on log.video but the w2k worstation at this time reported no errors: [2002/11/19 13:13:28, 0] smbd/password.c:authorise_login(863) authorise_login: rejected invalid user guest After joining the domain the network ID procedure wizard asked me to add a local user so I tried to import a domain account and I got these lines in the log.video file: [2002/11/19 13:47:03, 0] smbd/service.c:make_connection(381) make_connection: root logged in as admin user (root privileges) [2002/11/19 13:47:08, 0] smbd/password.c:authorise_login(863) authorise_login: rejected invalid user guest This time the w2k workstation reported me the infamous error: Cannot add user the trust relationship has failed I really cannot understand what's going on... bye by(t)e[s] TuX! smbusers Description: Binary data smb.conf Description: Binary data log.nmbd Description: Binary data log.smbd Description: Binary data log.video Description: Binary data passwd Description: Binary data group Description: Binary data smbpasswd Description: Binary data
Re: [Samba] PDC Problems
Try read and aply /usr/share/doc/samba/readme.w2ksp2 . - Original Message - From: Michele Santucci [EMAIL PROTECTED] To: Buchan Milne [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Sent: Tuesday, November 19, 2002 2:04 PM Subject: Re: [Samba] PDC Problems Ok this time I attached all the involved files. I try to explain the incident from the very beginning: I have a linux server (Mandrake Pro Suite 8.2 updated to the latest fixes etc.) I removed the supplied 2.2.3 samba distrib. and reinstalled the new 2.2.6 (mandrake 8.2 rpm taken from the binary distribution of samba.org), the attached smb.conf show how I set it up to act as a PDC. The domain must be CCGM and the server netbios name CCGM-SERVER I just added an alias for backward compatibilities... I created all the users (since we have two distinct kind of users I created two groups i.e. ccgm and satyagra) and 'passed' everyone to smbpasswd. Now I have to join a W2K PRO SP3 workstation called 'video' to this domain, it run just TCP/IP (no NETBeui neither IPX). Before attempting to join the domain I set the workstation to act as a standalone pc then rebooted it (I also restarted smbd nmbd) I logged in as administrator, then I start the network ID configuration (I supplied root as the username (with it's password) VIDEO as the computer name and CCGM as the domain name), the procedure goes on haging a little just before the last step after that I found these lines on log.video but the w2k worstation at this time reported no errors: [2002/11/19 13:13:28, 0] smbd/password.c:authorise_login(863) authorise_login: rejected invalid user guest After joining the domain the network ID procedure wizard asked me to add a local user so I tried to import a domain account and I got these lines in the log.video file: [2002/11/19 13:47:03, 0] smbd/service.c:make_connection(381) make_connection: root logged in as admin user (root privileges) [2002/11/19 13:47:08, 0] smbd/password.c:authorise_login(863) authorise_login: rejected invalid user guest This time the w2k workstation reported me the infamous error: Cannot add user the trust relationship has failed I really cannot understand what's going on... bye by(t)e[s] TuX! -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] PDC Problems
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Michele Santucci wrote: Ok this time I attached all the involved files. I try to explain the incident from the very beginning: I have a linux server (Mandrake Pro Suite 8.2 updated to the latest fixes etc.) I removed the supplied 2.2.3 samba distrib. and reinstalled the new 2.2.6 (mandrake 8.2 rpm taken from the binary distribution of samba.org) It's normally best *not* to remove a package, but just to upgrade it, but this shouldn't make much of a difference. , the attached smb.conf show how I set it up to act as a PDC. I haven't looked at it in detail now, but FYI, the default smb.conf that ships with the samba RPMS on Mandrake needs about 6 lines uncommented to turn it into a domain controller with many features. I don't like swat because it removes all these well-tested examples which are configured for Mandrake including the directory layout we use. The domain must be CCGM and the server netbios name CCGM-SERVER I just added an alias for backward compatibilities... I created all the users (since we have two distinct kind of users I created two groups i.e. ccgm and satyagra) and 'passed' everyone to smbpasswd. Now I have to join a W2K PRO SP3 workstation called 'video' to this domain, it run just TCP/IP (no NETBeui neither IPX). Before attempting to join the domain I set the workstation to act as a standalone pc then rebooted it (I also restarted smbd nmbd) I logged in as administrator, then I start the network ID configuration (I supplied root as the username (with it's password) VIDEO as the computer name and CCGM as the domain name), the procedure goes on haging a little just before the last step after that I found these lines on log.video but the w2k worstation at this time reported no errors: [2002/11/19 13:13:28, 0] smbd/password.c:authorise_login(863) authorise_login: rejected invalid user guest After joining the domain the network ID procedure wizard asked me to add a local user I always use the procedure that I have made animated screenshots of here: http://ranger.dnsalias.com/mandrake/muo/connect/csamba6.html#join I don't trust wizards ;-). so I tried to import a domain account and I got these lines in the log.video file: [2002/11/19 13:47:03, 0] smbd/service.c:make_connection(381) make_connection: root logged in as admin user (root privileges) [2002/11/19 13:47:08, 0] smbd/password.c:authorise_login(863) authorise_login: rejected invalid user guest This time the w2k workstation reported me the infamous error: Cannot add user the trust relationship has failed I really cannot understand what's going on... But have you rebooted the machine and tried to log in? Also, we don't run SP3 yet, we currently only run up to SP2 due to issues with the EULA ... Buchan - -- |Registered Linux User #182071-| Buchan MilneMechanical Engineer, Network Manager Cellphone * Work+27 82 472 2231 * +27 21 8828820x121 Stellenbosch Automotive Engineering http://www.cae.co.za GPG Key http://ranger.dnsalias.com/bgmilne.asc 1024D/60D204A7 2919 E232 5610 A038 87B1 72D6 AC92 BA50 60D2 04A7 -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.1 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQE92lM5rJK6UGDSBKcRAtwfAJ411872z9AjPaOgZrqjM+MoL6oNYgCfTM1B qoBOfGF0M8QuDUd/k241wcM= =AXzu -END PGP SIGNATURE- -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] PDC Problems
In your conf miss netlogon share ... - Original Message - From: Michele Santucci [EMAIL PROTECTED] To: Samba [EMAIL PROTECTED] Sent: Monday, November 18, 2002 9:34 PM Subject: [Samba] PDC Problems Hello, That's what I got trying to join a Win2K workstation to my domain (managed by a linux/samba server), after I joined the domain the system refuse to logon/add any domain user reporting a trust relationship failure... 1) All the clients are Windows 2000 sp3 machines (tcp + netbeui) 2) Linux server use a Mandrake 8.2 pro suite running samba 2.2.6 /etc/passwd video$:x:504:421:Machine Account:/dev/null:/bin/false /etc/samba/smbpasswd video$:504:DD8EB67612E73F3842517E31664A1C6C:BC3911425DC8A72332F814FC212ABE91 :[W ]:LCT-3DD8E642: ^ seems like it created the machine account correctly [root@server samba]# more log.video [2002/11/18 14:08:17, 0] smbd/service.c:make_connection(381) make_connection: root logged in as admin user (root privileges) As long as I add machine accounts it just show this [2002/11/18 14:09:18, 0] smbd/password.c:authorise_login(863) authorise_login: rejected invalid user guest [2002/11/18 14:10:30, 0] smbd/password.c:authorise_login(863) authorise_login: rejected invalid user guest these lines appear after the procedure created the machine account and I try to add a new local account (called michele) taking it from the domain. [root@server samba]# more log.smbd [2002/11/18 14:06:42, 0] smbd/server.c:main(707) smbd version 2.2.6 started. Copyright Andrew Tridgell and the Samba Team 1992-2002 [2002/11/18 14:07:42, 0] smbd/server.c:open_sockets(238) Got SIGHUP This's my CONFIGURATION file ... [root@server samba]# more /etc/samba/smb.conf # Samba config file created using SWAT # from 0.0.0.0 (0.0.0.0) # Date: 2002/11/18 13:52:01 # Global parameters [global] workgroup = CCGM-DOM netbios name = CCGM-SERVER server string = Samba Server %v encrypt passwords = Yes update encrypted = Yes null passwords = Yes pam password change = Yes username map = /etc/samba/smbusers unix password sync = Yes admin log = Yes log file = /var/log/samba/log.%m max log size = 50 time server = Yes socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 printcap name = lpstat domain admin group = @smb-admin domain guest group = @users add user script = /usr/sbin/useradd -d /dev/null -g machines -c 'Machine Account' -s /bin/false -M %u domain logons = Yes os level = 64 preferred master = Yes domain master = Yes wins proxy = Yes wins support = Yes guest account = guest valid users = @smb-admin @ccgm @satyagra admin users = @smb-admin read list = @ccgm @satyagra write list = @smb-admin printer admin = @smb-admin printing = cups [homes] comment = Home Directories read only = No browseable = No [printers] comment = All Printers path = /var/spool/samba create mask = 0700 guest ok = Yes printable = Yes print command = lpr-cups -P %p -o raw %s -r # using client side printer drivers. browseable = No [print$] path = /var/lib/samba/printers write list = @smb-admin bye by(t)e[S]...TuX! --- Questo messaggio è certificato Virus Free - AVG 6 Free Edition Checked by AVG anti-virus system (http://www.grisoft.com). Version: 6.0.419 / Virus Database: 235 - Release Date: 13/11/2002 -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] Re: Samba PDC.... no mapping between account names and security IDswas done
Yes I know... you will all say... asked and answered but this is ridiculous... I still cannot add my win 2k wks to my Samba domain... I have created the machine account, and the root account in smbpasswd I have checked and they DO exist... I am running Samba 2.2.6-1, the build which many on these lists claim to fix this win2k problem but as of yet... no luck... here is my smb.conf if anyone can find a problem in it # Samba config file created using SWAT # from duar (127.0.0.1) # Date: 2002/11/16 11:58:30 # Global parameters [global] workgroup = KRONOS netbios name = DUAR netbios aliases = DUAR server string = encrypt passwords = Yes update encrypted = Yes pam password change = Yes passwd program = /usr/bin/passwd %u passwd chat = *New*UNIX*password* %n\n *ReType*new*UNIX*password* %n\n *passwd:*all*authentication*tokens*updated*successfully* passwd chat debug = Yes username map = /etc/samba/smbusers unix password sync = Yes admin log = Yes log file = /var/log/samba/log.%m max log size = 50 socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 domain admin group = @DomainAdmins domain guest group = @DomainGuests domain logons = Yes os level = 33 lm announce = Yes preferred master = Yes domain master = Yes dns proxy = No winbind use default domain = Yes alternate permissions = Yes valid users = root admin users = root printer admin = root printing = lprng [homes] comment = Home Directories valid users = %S read only = No create mask = 0664 directory mask = 0775 browseable = No Yours Hopefully Steve Jackson -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] re: Samba PDC Problem (Account name security ID mapping blah blah blah)
Yes I know... you will all say... asked and answered but this is ridiculous... I still cannot add my win 2k wks to my Samba domain... I have created the machine account, and the root account in smbpasswd I have checked and they DO exist... I am running Samba 2.2.6-1, the build which many on these lists claim to fix this win2k problem but as of yet... no luck... here is my smb.conf if anyone can find a problem in it # Samba config file created using SWAT # from duar (127.0.0.1) # Date: 2002/11/16 11:58:30 # Global parameters [global] workgroup = KRONOS netbios name = DUAR netbios aliases = DUAR server string = encrypt passwords = Yes update encrypted = Yes pam password change = Yes passwd program = /usr/bin/passwd %u passwd chat = *New*UNIX*password* %n\n *ReType*new*UNIX*password* %n\n *passwd:*all*authentication*tokens*updated*successfully* passwd chat debug = Yes username map = /etc/samba/smbusers unix password sync = Yes admin log = Yes log file = /var/log/samba/log.%m max log size = 50 socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 domain admin group = @DomainAdmins domain guest group = @DomainGuests domain logons = Yes os level = 33 lm announce = Yes preferred master = Yes domain master = Yes dns proxy = No winbind use default domain = Yes alternate permissions = Yes valid users = root admin users = root printer admin = root printing = lprng [homes] comment = Home Directories valid users = %S read only = No create mask = 0664 directory mask = 0775 browseable = No Yours Hopefully Steve Jackson -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
RE: [Samba] PDC and logon script - try 2
Thanks to everyone. The permissions on the directory and CMD file was the problem (Ok, I feel like a dope now). Anyway, can anyone help with the other problem concerning the printers? I'm afraid I'm gonna have to reinstall RedHat now, since I can't get either NIC card onto the network. Can a samba upgrade kill hardware? LOL Darin Bawden TeamDME! Technical Support Phone: (615)333-1900 x.19 [EMAIL PROTECTED] -Original Message- From: Noel Kelly [mailto:nkelly;citrusnetworks.net] Sent: Wednesday, November 06, 2002 9:10 AM To: 'Darin Bawden'; Samba List Subject: RE: [Samba] PDC and logon script - try 2 What permissions do you have on your netlogon directory? Should be r-x for everyone. Noel -Original Message- From: Darin Bawden [mailto:dbawden;teamdme.com] Sent: 06 November 2002 14:22 To: Samba List Subject: [Samba] PDC and logon script - try 2 Hi everyone, I have a question about the logon script command. I've read and read and read the man page for smb.conf. In essence, I've duplicated the settings on the PDC how-to document to create a PDC with a logon script. However, when I log in, the scrips doesn't run. The only thing I don't have enabled, like the how-to, is roaming profiles. I'll include my smb.conf for review. I'm running 2.2.5 at work. I have a second Samba at home, with roaming profiles, but it doesn't work there, either (it's running 2.2.6). A second issue I am having is, after upgrading from 2.2.5 to 2.2.6, all my CUPS printers are not visible over the netowrk. Cups seems them as installed, but I can't see them over the netowrk. I stopped samba before doing the update. I did the update, in which I recieved an error (which I think I've posted to the list), then I started the samba service. since then, I've had nothing but trouble. I can't see any printers and I can't get connected to the network (although I don't believe this is due to the update...I think). Any help would be appreciated as I'm about to update the production server to CUPS. I was also wanting to update the samba server to 2.2.6 smb.conf: [global] coding system = client code page = 850 code page directory = /usr/share/samba/codepages workgroup = TE* netbios name = LINUX1 netbios aliases = netbios scope = server string = Linux Server interfaces = bind interfaces only = No security = USER encrypt passwords = Yes update encrypted = No allow trusted domains = Yes hosts equiv = min passwd length = 5 map to guest = Never null passwords = No obey pam restrictions = Yes password server = smb passwd file = /etc/samba/smbpasswd root directory = pam password change = Yes passwd program = /usr/bin/passwd %u passwd chat = *New*password* %n\n *Retype*new*password* %n\n *passwd:*all*authentication*tokens*updated*successfully* passwd chat debug = No username map = password level = 0 username level = 0 unix password sync = Yes restrict anonymous = No lanman auth = Yes use rhosts = No log level = 2 syslog = 1 syslog only = No log file = /var/log/samba/%m.log max log size = 0 timestamp logs = Yes debug hires timestamp = No debug pid = No debug uid = No protocol = NT1 large readwrite = No max protocol = NT1 min protocol = CORE read bmpx = No read raw = Yes write raw = Yes nt smb support = Yes nt pipe support = Yes announce version = 4.5 announce as = NT max mux = 50 max xmit = 65535 name resolve order = lmhosts host wins bcast max packet = 65535 max ttl = 259200 max wins ttl = 518400 min wins ttl = 21600 time server = Yes unix extensions = No change notify timeout = 60 deadtime = 0 getwd cache = Yes keepalive = 300 lpq cache time = 10 max smbd processes = 0 max disk size = 0 max open files = 1 read size = 16384 socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 stat cache size = 50 use mmap = Yes total print jobs = 0 load printers = Yes printcap name = /etc/printcap disable spoolss = No enumports command = addprinter command = deleteprinter command = show add printer wizard = Yes os2 driver map = strip dot = No character set = mangled stack = 50 stat cache = Yes domain admin group = @root domain guest group = machine password timeout = 604800 add user script = /usr/sbin/adduser -d /dev/null -g 100 -s /bin/false -M %m$ delete user script
Re: [Samba] PDC Problems (read this the first one is incomplete)
Sorry, I just want to clarify, does it fail when adding a computer account in the domain? No... it fails after that... when the system ask to create a local profile for a Domain user... it happens with all the users, normal ones and admins... In the machine specific log file if found this: [2002/10/31 10:14:32, 0] smbd/password.c:authorise_login(863) authorise_login: rejected invalid user guest [2002/10/31 10:14:32, 0] smbd/password.c:authorise_login(863) authorise_login: rejected invalid user guest When you were trying to do what? When I try to create a local profile for a Domain user... I already set the w2k workstations to send non encrypted password to third parties smb server. I checked /etc/passwd, group and /etc/samba/smbpasswd file and they're correcly updated with machine and user accounts. You cannot join a windows 2000 machine to a domain if you have set it to use clear text passwords, and you smb.conf is set for encrypted passwords. U're right it seemed strage to me too but I found notes about setting encryption in the smb.conf file in the samba PDC faq howto and also hints about unsetting the encryption for third party PDCs in similar documentation... and anyway this fix another problem: when u try to add a Domain user in a local machine u can specify it manually or u can browse it from the PDC... if don't enable the password encryption for third parties server the user list browsing fails... Can you be more clear on exactly which procedure you are using? About what? bye by(t)e[S]...TuX! -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Re: Samba PDC and Kerberos(MIT or SEAM in Uinx,without microsoft ADS)
A few more questions and comments... related to this topic If Kerberos is the back-end to LDAP.. there is no need to synchronize or store a password in the LDAP tree.. just the principal for the user in the userpassword attribute: userpassword = {kerberos}name@domain in the smb.conf file do I need stuff like this? Unix password sync = yes passwd program = /some-path/to-a/script-which/synchronize-kerb-smb %u in this program synchronize-kerb-smb %u is the username and comes in as an argument, then request the password and read it in from STDIN.. ... then run a smbpasswd %u feeding the password.. and then get a valid user/admin ticket using kinit for an account validated by a keytab .. then run kadmin.local -q 'cpw -pw $password $username' to synchronize with Kerberos this has the potential to work(I think)but... im missing a few parts.. can a script like this synchronize passwords when they are forced to change their password at the client level.. say expire the users password? And what happens if they change there password using kpassword.. that has the potential to unsyncronize the passwords.. Also.. what about the adding machines trusts to the samba domain?.. I've seen where people use the: add user script = /some/adduserscript -n -g machines -c Machine -d /dev/null -s /bin/false $m$ is there any way to change the LDAP suffix before adding a machine to the LDAP tree?.. In my current setup I have all users in an ou=people area.. and so my LDAP suffix = ou=people, dc=domain.. but I don't want to add machines to this container.. I would rather put them in something like ou=hosts, dc=domain.. I have many more questions but don't want to change the topic too much... Jonathan Higgins Network Service Specialist IV [EMAIL PROTECTED] Yura Pismerov [EMAIL PROTECTED] 10/31/02 07:38PM Here what you could use: LDAP with Kerberos password backend. Samba 2.2.6 PDC with LDAP backend. Windows passwords are stored in LDAP in samba object, not in Kerberos KDC since they use incompatible encryption methods. Use Kerberos passwords as primary source and synchronize Windows passwords with them when user changes his password or administrator reset it. This setup will allow to use the same password across the board for Unix shell access and email (via pam_ldap, nss_ldap and pam_krb5) and for Windows access (via Samba PDC), and the same name space will be used everywhere (via LDAP), so no mapping needed. Of course it will require quite a few scripts to synchronize passwords, create users in LDAP and Kerberos, etc. But it works... Yongjun Rong wrote: Hi, Andrew, Thank you very much for your answer. Now our case is as below: 1, our client machine is the windows 2000 2, We want our Kerberos run in the Unix box. 3, We also want the samba as PDC for all windows user and machine. 4, We want integrate the Kerberos Authentication with samba authentication. So in this situation, can we get the kerberos login from the windows 2000 client because the windows 2000 is support kerberos authenctication. If it can, where can I start? I have already setup the environment for windows 2000 client auhtenticating himself to the Kerberos Realm in the Solaris and authenticate the samba domain user to the local windows 2k machine. But this two cases are seperated from each other which means the kerberos authentication use the kerberos password and samba PDC authentication use the smbpasswd. And I can also map(using Ksetup /mapuser) the kerberos user to the local or samba domain user and then do the authentication to the kerberos. So we really want is, when we do the samba PDC authentication we can use the kerberos password. I don't know if it right. PLS correct me . Thank you very much. John Original Message From: Andrew Bartlett Date: Mon 10/28/02 17:24 To: Yongjun Rong Cc: [EMAIL PROTECTED] Subject:Re: Samba and Kerberos(MIT or SEAM, without microsoft ADS) Yongjun Rong wrote: Hi, Andrew, This is John from Texas Tech University.I have read your reply about samba and kerberos. May I ask you some question about samba and Kerberos. 1, Is the samba can use the kerberos(Not with ADS, Just MIT or SEAM in Solaris) as the authentication services and store samba user and passwd in the kerberos database directly but not using OpenLDAP? If you can get the clients to send you a kerberos login without using ADS, then the modification is realitivly simple, and is part of the work towards an Active Directory replacement. 2, If it cannot, I know the samba has support the Kerberos with Microsoft ADS. Where can start to change the source to enable the support for MIT or SEAM in solaris? How can I do it? I have download the source of samba3.0alpha20. And I also have configure the samba as a PDC for my win2k client. You can't do PDC stuff with this kind of setup,
Re: [Samba] Re: Samba PDC and Kerberos(MIT or SEAM in Uinx,without microsoft ADS)
Jonathan Higgins wrote: A few more questions and comments... related to this topic If Kerberos is the back-end to LDAP.. there is no need to synchronize or store a password in the LDAP tree.. just the principal for the user in the userpassword attribute: userpassword = {kerberos}name@domain That is correct. I did not mean sync between Kerberos and LDAP, I mean sync between Kerberos and Samba passwords stored in LDAP. in the smb.conf file do I need stuff like this? Unix password sync = yes passwd program = /some-path/to-a/script-which/synchronize-kerb-smb %u Yes. in this program synchronize-kerb-smb %u is the username and comes in as an argument, then request the password and read it in from STDIN.. ... then run a smbpasswd %u feeding the password.. and then get a valid user/admin ticket using kinit for an account validated by a keytab .. then run kadmin.local -q 'cpw -pw $password $username' to synchronize with Kerberos Easier (not yet more secure though) way is creating a separate Kerberos principal with permissions for password change, saving the key (with ktadd -k file) in separate keytab and using the key with kadmin -k -t /path/keytab -p principal_name. Then cpw user@DOMAIN will change password for the user. The cpw command can be passed to kadmin via expect script or via STDIN (less secure though). this has the potential to work(I think)but... im missing a few parts.. can a script like this synchronize passwords when they are forced to change their password at the client level.. say expire the users password? And what happens if they change there Kerberos has his own password expiration mechanizm. You can write a script tha will scan prinipals in KDC, extract password expire dates and compare it with current date. Then, let's say 5 days before the expiration, it can start sending notifications to users. The warning message can contain a link to a webpage for the password change. password using kpassword.. that has the potential to unsyncronize the passwords.. Yes, if user changes password with kpassword, there is no way to synchronize it with Samba password. So users must be instructed to use either standard Windows way to change the passwords, or a webpage. The CGI script will take care of changing passwords in Kerberos and Samba (via smbldap utilities, for example) realms. Also.. what about the adding machines trusts to the samba domain?.. I've seen where people use the: add user script = /some/adduserscript -n -g machines -c Machine -d /dev/null -s /bin/false $m$ is there any way to change the LDAP suffix before adding a machine to the LDAP tree?.. In my current setup I have all users in an ou=people area.. and so my LDAP suffix = ou=people, dc=domain.. but I don't want to add machines to this container.. I would rather put them in something like ou=hosts, dc=domain.. Yes, you can do it with the mentioned smbldap scripts where People and Computers DNs can be configured. Then you use add user script=/path/smbldap-useradd.pl -w %m$ I have many more questions but don't want to change the topic too much... :) Jonathan Higgins Network Service Specialist IV [EMAIL PROTECTED] Yura Pismerov [EMAIL PROTECTED] 10/31/02 07:38PM Here what you could use: LDAP with Kerberos password backend. Samba 2.2.6 PDC with LDAP backend. Windows passwords are stored in LDAP in samba object, not in Kerberos KDC since they use incompatible encryption methods. Use Kerberos passwords as primary source and synchronize Windows passwords with them when user changes his password or administrator reset it. This setup will allow to use the same password across the board for Unix shell access and email (via pam_ldap, nss_ldap and pam_krb5) and for Windows access (via Samba PDC), and the same name space will be used everywhere (via LDAP), so no mapping needed. Of course it will require quite a few scripts to synchronize passwords, create users in LDAP and Kerberos, etc. But it works... Yongjun Rong wrote: Hi, Andrew, Thank you very much for your answer. Now our case is as below: 1, our client machine is the windows 2000 2, We want our Kerberos run in the Unix box. 3, We also want the samba as PDC for all windows user and machine. 4, We want integrate the Kerberos Authentication with samba authentication. So in this situation, can we get the kerberos login from the windows 2000 client because the windows 2000 is support kerberos authenctication. If it can, where can I start? I have already setup the environment for windows 2000 client auhtenticating himself to the Kerberos Realm in the Solaris and authenticate the samba domain user to the local windows 2k machine. But this two cases are seperated from each other which means the kerberos authentication use the kerberos password and samba PDC authentication use the smbpasswd. And I
Re: [Samba] Re: Samba PDC and Kerberos(MIT or SEAM in Uinx, withoutmicrosoft ADS)
Yongjun- Right now, you cannot get Samba to authenticate the user using the kerberos credentials he gets when logging in to the Kerberos Realm on the workstation. What you can do: 1. Run MIT kerberos 5 on UNIX. 2. Setup pam_krb5 in Solaris to authenticate off of the UNIX kdc. (We use the one supplied with Solaris 8. We couldn't get the Solaris 9 one to work, however. You could always replace it with the open source stuff though.) 3. Setup a Windows 2000 AD domain. Mixed or Native mode shouldn't matter. 4. Create an account/password for the AD server in the UNIX kerberos domain and trust the UNIX kerberos realm from AD with it. 5. Create accounts in AD that match the ones in the UNIX kdc and whatever you're using for passwd/group/shadow (nis, nss_ldap, etc.) with the 'username mapping' set to the username@KERBEROSREALM. The passwords can be randomized. If you need it, I have a vbscript for creating the accounts to help automate this. We're using NIS with no passwords in NIS except for the usual administrative ones since we don't control the kerberos domain here. 6. Setup Samba 2.2.6 --with-pam and in User mode. Samba will authenticate off of kerberos through pam. 7. Setup the Windows 2000 workstations via a group policy object or with a registry editor to Enable Send clear-text passwords to thrid-party SMB servers. 8. On the Windows 2000 workstations run 'ksetup.exe /addkdc REALMNAME fqdn.of.your.server'. ksetup is in the Windows 2000 resource kit. That'll work. *** However, in this configuration, you cannot get drives mapped to shares on the Samba server without the user typing in the password interactively.*** You'll need to create a script for the users to use for this purpose. ('net use U: \\server\%username% /persistent:no') Hopefully by 3.0 release the kerberos authentication will work in this setup and drive mapping can be done automatically and we can do things like Folder Redirection to samba shares! Additional cool things would involve editing the resources in the MSGINA.DLL to add some more explanatory info for users so that they know to login to the '(Kerberos Realm)' and not the local workstation or AD domain. Donald Saltarelli On Thu, 2002-10-31 at 12:28, Yongjun Rong wrote: Hi, Andrew, Thank you very much for your answer. Now our case is as below: 1, our client machine is the windows 2000 2, We want our Kerberos run in the Unix box. 3, We also want the samba as PDC for all windows user and machine. 4, We want integrate the Kerberos Authentication with samba authentication. So in this situation, can we get the kerberos login from the windows 2000 client because the windows 2000 is support kerberos authenctication. If it can, where can I start? I have already setup the environment for windows 2000 client auhtenticating himself to the Kerberos Realm in the Solaris and authenticate the samba domain user to the local windows 2k machine. But this two cases are seperated from each other which means the kerberos authentication use the kerberos password and samba PDC authentication use the smbpasswd. And I can also map(using Ksetup /mapuser) the kerberos user to the local or samba domain user and then do the authentication to the kerberos. So we really want is, when we do the samba PDC authentication we can use the kerberos password. I don't know if it right. PLS correct me . Thank you very much. John Original Message From: Andrew Bartlett Date: Mon 10/28/02 17:24 To: Yongjun Rong Cc: [EMAIL PROTECTED] Subject: Re: Samba and Kerberos(MIT or SEAM, without microsoft ADS) Yongjun Rong wrote: Hi, Andrew, This is John from Texas Tech University.I have read your reply about samba and kerberos. May I ask you some question about samba and Kerberos. 1, Is the samba can use the kerberos(Not with ADS, Just MIT or SEAM in Solaris) as the authentication services and store samba user and passwd in the kerberos database directly but not using OpenLDAP? If you can get the clients to send you a kerberos login without using ADS, then the modification is realitivly simple, and is part of the work towards an Active Directory replacement. 2, If it cannot, I know the samba has support the Kerberos with Microsoft ADS. Where can start to change the source to enable the support for MIT or SEAM in solaris? How can I do it? I have download the source of samba3.0alpha20. And I also have configure the samba as a PDC for my win2k client. You can't do PDC stuff with this kind of setup, not until we get a *lot* more Active Directory work done. 3, You said that samba should support the MIT kerberos. But not at this moment. Did it support keberos in the older version or not? which version? If it was not support. I wish I can do something for it. Thank you very much for your help. John. In a very old version, we used the host keytab. Now we
Re: [Samba] PDC Problems (read this the first one is incomplete)
Michele Santucci wrote: I've got a big problem with my PDC (Mandrake 8.2 with samba 2.2.5): when I try to join the domain from a W2KPRO (sp3) workstation the procedure goes on well until it require to create a local account for a Domain user ... the system let me browse all the user account on the domain controller but when I try to add it reports this error: The trust relationship between this workstation and the primary domain is failed (probably the english text is different but this should be the meaning since I'm traslating it from italian). security = USER add user script = /usr/sbin/adduser -n -g machines -c Machine -d /dev/null -s /bin/false %m$ According to the smb.conf man page security has to be DOMAIN or SERVER to use the add user script option. man smb.conf Search for add user script for details. -- Mike Rambo [EMAIL PROTECTED] -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] PDC Problems (read this the first one is incomplete)
The trust relationship between this workstation and the primary domain is failed (probably the english text is different but this should be the meaning since I'm traslating it from italian). security = USER add user script = /usr/sbin/adduser -n -g machines -c Machine -d /dev/null -s /bin/false %m$ According to the smb.conf man page security has to be DOMAIN or SERVER to use the add user script option. I don't know what man page u're reading but mine says that the only security option not useable for the adduser script is 'SHARE' anyway the 'USER' option is compulsory since I have got to set the samba server to act as a PDC. Anyone else listening c'ya ... TUX -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] PDC Problems (read this the first one is incomplete)
Michele Santucci wrote: The trust relationship between this workstation and the primary domain is failed (probably the english text is different but this should be the meaning since I'm traslating it from italian). security = USER add user script = /usr/sbin/adduser -n -g machines -c Machine -d /dev/null -s /bin/false %m$ According to the smb.conf man page security has to be DOMAIN or SERVER to use the add user script option. I don't know what man page u're reading but mine says that the only security option not useable for the adduser script is 'SHARE' anyway the 'USER' option is compulsory since I have got to set the samba server to act as a PDC. Anyone else listening c'ya ... TUX Sorry - only tried to help... SMB.CONF(5) SMB.CONF(5) NAME smb.conf - The configuration file for the Samba suite SYNOPSIS The smb.conf file is a configuration file for the Samba suite. smb.conf contains runtime config uration information for the Samba programs. The smb.conf file is designed to be configured and administered by the swat(8) program. The complete description of the file format and possible parameters held within are here for reference purposes. SNIP add user script (G) This is the full pathname to a script that will be run AS ROOT by smbd(8) under special circumstances described below. Normally, a Samba server requires that UNIX users are created for all users accessing files on this server. For sites that use Windows NT account databases as their primary user database creating these users and keeping the user list in sync with the Windows NT PDC is an onerous task. This option allows smbdto create the required UNIX users ON DEMAND when a user accesses the Samba server. In order to use this option, smbd must be set to security = server or security = domain and add user script must be set to a full pathname for a script that will create a UNIX user given one argument of %u, which expands into the UNIX user name to create. When the Windows user attempts to access the Samba server, at login (session setup in the SMB protocol) time, smbdcontacts the password server and attempts to authenticate the given user with the given password. If the authentication succeeds then smbd attempts to find a UNIX user in the UNIX password database to map the Windows user into. If this lookup fails, and add user script is set then smbd will call the specified script AS ROOT, expanding any %u argument to be the user name to create. If this script successfully creates the user then smbd will continue on as though the UNIX user already existed. In this way, UNIX users are dynamically created to match existing Windows NT accounts. See also security, password server, delete user script. Default: add user script = empty string Example: add user script = /usr/local/samba/bin/add_user %u This box has samba 2.2.2 - has it changed with newer/older versions? -- Mike Rambo [EMAIL PROTECTED] -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] PDC Problems (read this the first one is incomplete)
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Message: 3 From: Michele Santucci [EMAIL PROTECTED] To: [EMAIL PROTECTED] Date: Thu, 31 Oct 2002 10:25:34 +0100 Subject: [Samba] PDC Problems (read this the first one is incomplete) Sorry but I've posted an incomplete message before that: I've got a big problem with my PDC (Mandrake 8.2 with samba 2.2.5): when I try to join the domain from a W2KPRO (sp3) workstation the procedure goes on well until it require to create a local account for a Domain user ... the system let me browse all the user account on the domain controller but when I try to add it reports this error: Sorry, I just want to clarify, does it fail when adding a computer account in the domain? The trust relationship between this workstation and the primary domain is failed (probably the english text is different but this should be the meaning since I'm traslating it from italian). In the machine specific log file if found this: [2002/10/31 10:14:32, 0] smbd/password.c:authorise_login(863) authorise_login: rejected invalid user guest [2002/10/31 10:14:32, 0] smbd/password.c:authorise_login(863) authorise_login: rejected invalid user guest When you were trying to do what? I already set the w2k workstations to send non encrypted password to third parties smb server. I checked /etc/passwd, group and /etc/samba/smbpasswd file and they're correcly updated with machine and user accounts. You cannot join a windows 2000 machine to a domain if you have set it to use clear text passwords, and you smb.conf is set for encrypted passwords. Anyway these are smb.conf, group,passwd and smbpasswd interested rows: Which show that you have successfully added machines with the name video and gfx to the domain. FYI, if you have any pre-sp3 machines, please test with those first ... And, with the default smb.conf (such as http://ranger.dnsalias.com/mandrake/samba/smb.conf), you only have to uncomment about 10 lines to get a working smb.conf for a domain controller (such as this file http://ranger.dnsalias.com/mandrake/samba/smb-domain-controller.conf) on any recent version of Mandrake linux. Can you be more clear on exactly which procedure you are using? And to answer Mike Rambo's replies, when samba runs in 'security = user', add user script is used when samba creates a new machine account. Mandrake ships with the following example for a domain controller not using LDAP backend: # Script for domain controller for adding machines: ; add user script = /usr/sbin/useradd -d /dev/null -g machines -c 'Machine Account' -s /bin/false -M %u Regards, Buchan (PDC runs Mandrake 8.2 / samba-2.2.6). - -- |Registered Linux User #182071-| Buchan MilneMechanical Engineer, Network Manager Cellphone * Work+27 82 472 2231 * +27 21 8828820x121 Stellenbosch Automotive Engineering http://www.cae.co.za GPG Key http://ranger.dnsalias.com/bgmilne.asc 1024D/60D204A7 2919 E232 5610 A038 87B1 72D6 AC92 BA50 60D2 04A7 -BEGIN PGP SIGNATURE- Version: GnuPG v1.0.7 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQE9wVCnrJK6UGDSBKcRAkCVAKDG2nBdlKZa2fgDyYlmwgM1eGow1gCfRCfp fNQBqm1r6+AMhgk25iRwy7g= =YKzg -END PGP SIGNATURE- -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
RE: [Samba] PDC connect problem
First simplify your smb.conf file so you can elimanate anything else that may conflict. Start with the bare minimum needed for a pdc. Try adding wins support = yes to have it act as a wins server. Hope this helps. -Original Message- From: [EMAIL PROTECTED] [mailto:samba-admin;lists.samba.org]On Behalf Of Richard Fox Sent: Thursday, October 31, 2002 11:32 AM To: [EMAIL PROTECTED] Subject: [Samba] PDC connect problem This is my second attempt to get some help.. maybe my first post was too complex, so I will simplify it and if you need more information you will ask me. I am quite stuck so I would really appreciate some help. I am trying to connect an NT box, mercury, to a RedHat 7.3 PDC, thor. When I try to logon to the domain from mercury I get an error msg on my NT box which says the domain controller for this domain cannot be located. My smb.conf global section is: [global] workgroup = MYGROUP netbios name = THOR server string = Samba PDC %v %h max log size = 50 security = user smb passwd file = /etc/samba/smbpasswd encrypt passwords = Yes unix password sync = yes passwd program = /usr/bin/passwd %u passwd chat = *New*password* %n\n *Please*retype*new*password* %n\n *password*successfully*updated* os level = 65 domain master = yes preferred master = yes domain logons = yes logon home = \\%L\%u logon drive = H: logon script = netlogon.bat logon path = \\%L\Profiles\%u hosts allow = 192.168.1., 127. Mercury and thor are on their own private network, all other machines here are on 192.168.0. I cannot pinpoint the problem. When I try to log in from mercury, the samba log files on thor do not even register the attempt. It should be something simple, but I have been tweaking for 3 days and no success Help! -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] PDC connect problem
On Thursday 31 October 2002 4:31 pm, Richard Fox wrote: This is my second attempt to get some help.. maybe my first post was too complex, so I will simplify it and if you need more information you will ask me. I am quite stuck so I would really appreciate some help. I am trying to connect an NT box, mercury, to a RedHat 7.3 PDC, thor. When I try to logon to the domain from mercury I get an error msg on my NT box which says the domain controller for this domain cannot be located. My smb.conf global section is: ... Help! If this is a multi-homed machine then you might try interfaces = xxx.xxx.xxx.xxx bind interfaces only = yes I only guess at this because your other internal network is 192.168.0.1 and you are only allowing 192.168.1. Which makes me think that maybe your machine has two interfaces and samba's trying to bind to both. -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] PDC connect problem
If this is a multi-homed machine then you might try interfaces = xxx.xxx.xxx.xxx bind interfaces only = yes I tried this an it had no effect on the problem, which is that the domain controller for this domain cannot be located. In order to eliminate any possible problem of multiple networks I deleted the other network device, eth1, which was inactive anyway, from my PDC machine. Also all other hosts on the 192.168.0. network have been removed from my /etc/hosts file. Now I just have eth0 set to 192.168.1.10 and localhost, thor (RH 7.3 PDC) , and mercury 192.168.1.7 (NT) in my /etc/hosts. I also tried wins support = yes and this also had no effect. I do believe, from what I have read, that I have a minimal smb.conf file for a PDC. Here it is again: [global] workgroup = MYGROUP netbios name = THOR os level = 64 domain master = yes preferred master = yes local master = yes security = user encrypt passwords = yes domain logons = yes logon path = \\%L\Profiles\%u logon drive = H: logon home = \\%L\%u logon script = netlogon.bat [homes] comment = Home Directories path = %H writeable = Yes valid users = %S create mode = 0664 directory mode = 0775 [netlogon] comment = Network Logon Services path = /home/samba/netlogon read only = yes # list of all possible users who I could imagine would try to connect during testing. # All have samba passwords = Unix passwords (or NT in case of Administrator) write list = Administrator, rfox, root [Profiles] path = /home/samba/profiles browseable = No I am very surprised that the log file shows no attempt to connect when I try to join the domain MYGROUP from mercury. The log file does show that samba initialized ok and is waiting for connections. I don't know how to simplify things any further. My network is 2 machines only, no additional interfaces. I did remove the DNS server IPs and gateway IP from mercury's TCP/IP settings but this also made no difference so I put them back. Keep these ideas coming, I am completely stumped. Thanks, Rich -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
RE: [Samba] PDC connect problem
This is all you should need for a bare minimum PDC to work. [global] domain logons = yes domain master = yes security = user workgroup = YOURDOMAIN encrypt passwords = yes [netlogon] path=/usr/local/netlogon writeable = no guest ok = no Make sure netlogon directory exists and then run the tesparm utility with this config. -Original Message- From: [EMAIL PROTECTED] [mailto:samba-admin;lists.samba.org]On Behalf Of Richard Fox Sent: Thursday, October 31, 2002 2:14 PM To: [EMAIL PROTECTED] Subject: Re: [Samba] PDC connect problem If this is a multi-homed machine then you might try interfaces = xxx.xxx.xxx.xxx bind interfaces only = yes I tried this an it had no effect on the problem, which is that the domain controller for this domain cannot be located. In order to eliminate any possible problem of multiple networks I deleted the other network device, eth1, which was inactive anyway, from my PDC machine. Also all other hosts on the 192.168.0. network have been removed from my /etc/hosts file. Now I just have eth0 set to 192.168.1.10 and localhost, thor (RH 7.3 PDC) , and mercury 192.168.1.7 (NT) in my /etc/hosts. I also tried wins support = yes and this also had no effect. I do believe, from what I have read, that I have a minimal smb.conf file for a PDC. Here it is again: [global] workgroup = MYGROUP netbios name = THOR os level = 64 domain master = yes preferred master = yes local master = yes security = user encrypt passwords = yes domain logons = yes logon path = \\%L\Profiles\%u logon drive = H: logon home = \\%L\%u logon script = netlogon.bat [homes] comment = Home Directories path = %H writeable = Yes valid users = %S create mode = 0664 directory mode = 0775 [netlogon] comment = Network Logon Services path = /home/samba/netlogon read only = yes # list of all possible users who I could imagine would try to connect during testing. # All have samba passwords = Unix passwords (or NT in case of Administrator) write list = Administrator, rfox, root [Profiles] path = /home/samba/profiles browseable = No I am very surprised that the log file shows no attempt to connect when I try to join the domain MYGROUP from mercury. The log file does show that samba initialized ok and is waiting for connections. I don't know how to simplify things any further. My network is 2 machines only, no additional interfaces. I did remove the DNS server IPs and gateway IP from mercury's TCP/IP settings but this also made no difference so I put them back. Keep these ideas coming, I am completely stumped. Thanks, Rich -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] Re: Samba PDC and Kerberos(MIT or SEAM in Uinx, without microsoft ADS)
Hi, Andrew, Thank you very much for your answer. Now our case is as below: 1, our client machine is the windows 2000 2, We want our Kerberos run in the Unix box. 3, We also want the samba as PDC for all windows user and machine. 4, We want integrate the Kerberos Authentication with samba authentication. So in this situation, can we get the kerberos login from the windows 2000 client because the windows 2000 is support kerberos authenctication. If it can, where can I start? I have already setup the environment for windows 2000 client auhtenticating himself to the Kerberos Realm in the Solaris and authenticate the samba domain user to the local windows 2k machine. But this two cases are seperated from each other which means the kerberos authentication use the kerberos password and samba PDC authentication use the smbpasswd. And I can also map(using Ksetup /mapuser) the kerberos user to the local or samba domain user and then do the authentication to the kerberos. So we really want is, when we do the samba PDC authentication we can use the kerberos password. I don't know if it right. PLS correct me . Thank you very much. John Original Message From: Andrew Bartlett Date: Mon 10/28/02 17:24 To: Yongjun Rong Cc: [EMAIL PROTECTED] Subject:Re: Samba and Kerberos(MIT or SEAM, without microsoft ADS) Yongjun Rong wrote: Hi, Andrew, This is John from Texas Tech University.I have read your reply about samba and kerberos. May I ask you some question about samba and Kerberos. 1, Is the samba can use the kerberos(Not with ADS, Just MIT or SEAM in Solaris) as the authentication services and store samba user and passwd in the kerberos database directly but not using OpenLDAP? If you can get the clients to send you a kerberos login without using ADS, then the modification is realitivly simple, and is part of the work towards an Active Directory replacement. 2, If it cannot, I know the samba has support the Kerberos with Microsoft ADS. Where can start to change the source to enable the support for MIT or SEAM in solaris? How can I do it? I have download the source of samba3.0alpha20. And I also have configure the samba as a PDC for my win2k client. You can't do PDC stuff with this kind of setup, not until we get a *lot* more Active Directory work done. 3, You said that samba should support the MIT kerberos. But not at this moment. Did it support keberos in the older version or not? which version? If it was not support. I wish I can do something for it. Thank you very much for your help. John. In a very old version, we used the host keytab. Now we use our own secrets.tdb file, which we maintain. This is becouse in an ADS environment, we need to do both NT authentication and Kerberos. Please put questions to the list, so that others may see the replies. CC me if you want me to actually read it however :-) Andrew Bartlett -- Andrew Bartlett [EMAIL PROTECTED] Manager, Authentication Subsystems, Samba Team [EMAIL PROTECTED] Student Network Administrator, Hawker College [EMAIL PROTECTED] http://samba.org http://build.samba.org http://hawkerc.net -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] PDC connect problem: II
This is all you should need for a bare minimum PDC to work. snip I tried this, it didn't work, I then found out about DIAGNOSTICS.txt in the samba distribution and started going through it step by step. I failed Step 5, which reads: TEST 5: --- run the command nmblookup -B ACLIENT '*' You should get the PCs IP address back. If you don't then the client software on the PC isn't installed correctly, or isn't started, or you got the name of the PC wrong. If ACLIENT doesn't resolve via DNS then use the IP address of the client in the above test. * When I run nmblookup -B mercury '*' I get: [rootthor etc]# nmblookup -B MERCURY '*' querying * on 192.168.1.7 name_query failed to find name * The address to mercury is resolved fine, but the lookup failed. This means that the TCP/IP setup on the mercury NT box is wrong, no? Any ideas what this could be? -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Re: Samba PDC and Kerberos(MIT or SEAM in Uinx, without microsoft ADS)
Here what you could use: LDAP with Kerberos password backend. Samba 2.2.6 PDC with LDAP backend. Windows passwords are stored in LDAP in samba object, not in Kerberos KDC since they use incompatible encryption methods. Use Kerberos passwords as primary source and synchronize Windows passwords with them when user changes his password or administrator reset it. This setup will allow to use the same password across the board for Unix shell access and email (via pam_ldap, nss_ldap and pam_krb5) and for Windows access (via Samba PDC), and the same name space will be used everywhere (via LDAP), so no mapping needed. Of course it will require quite a few scripts to synchronize passwords, create users in LDAP and Kerberos, etc. But it works... Yongjun Rong wrote: Hi, Andrew, Thank you very much for your answer. Now our case is as below: 1, our client machine is the windows 2000 2, We want our Kerberos run in the Unix box. 3, We also want the samba as PDC for all windows user and machine. 4, We want integrate the Kerberos Authentication with samba authentication. So in this situation, can we get the kerberos login from the windows 2000 client because the windows 2000 is support kerberos authenctication. If it can, where can I start? I have already setup the environment for windows 2000 client auhtenticating himself to the Kerberos Realm in the Solaris and authenticate the samba domain user to the local windows 2k machine. But this two cases are seperated from each other which means the kerberos authentication use the kerberos password and samba PDC authentication use the smbpasswd. And I can also map(using Ksetup /mapuser) the kerberos user to the local or samba domain user and then do the authentication to the kerberos. So we really want is, when we do the samba PDC authentication we can use the kerberos password. I don't know if it right. PLS correct me . Thank you very much. John Original Message From: Andrew Bartlett Date: Mon 10/28/02 17:24 To: Yongjun Rong Cc: [EMAIL PROTECTED] Subject:Re: Samba and Kerberos(MIT or SEAM, without microsoft ADS) Yongjun Rong wrote: Hi, Andrew, This is John from Texas Tech University.I have read your reply about samba and kerberos. May I ask you some question about samba and Kerberos. 1, Is the samba can use the kerberos(Not with ADS, Just MIT or SEAM in Solaris) as the authentication services and store samba user and passwd in the kerberos database directly but not using OpenLDAP? If you can get the clients to send you a kerberos login without using ADS, then the modification is realitivly simple, and is part of the work towards an Active Directory replacement. 2, If it cannot, I know the samba has support the Kerberos with Microsoft ADS. Where can start to change the source to enable the support for MIT or SEAM in solaris? How can I do it? I have download the source of samba3.0alpha20. And I also have configure the samba as a PDC for my win2k client. You can't do PDC stuff with this kind of setup, not until we get a *lot* more Active Directory work done. 3, You said that samba should support the MIT kerberos. But not at this moment. Did it support keberos in the older version or not? which version? If it was not support. I wish I can do something for it. Thank you very much for your help. John. In a very old version, we used the host keytab. Now we use our own secrets.tdb file, which we maintain. This is becouse in an ADS environment, we need to do both NT authentication and Kerberos. Please put questions to the list, so that others may see the replies. CC me if you want me to actually read it however :-) Andrew Bartlett -- Andrew Bartlett [EMAIL PROTECTED] Manager, Authentication Subsystems, Samba Team [EMAIL PROTECTED] Student Network Administrator, Hawker College [EMAIL PROTECTED] http://samba.org http://build.samba.org http://hawkerc.net -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] PDC and BDC
You can achieve this using LDAP as a samba and unix password backend. I've done this and it works quite nicely Best Diego On Wed, 2002-10-30 at 11:46, Gurnish Anand wrote: Hello, How can I make two linux servers sync passwords. Is it something I do with Samba?? I want both the unix accounts and samba accounts be sync'ed. Please help!! Thanks, Gurnish -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] PDC Problems
When do you get this problem and what are your client settings. Are you moving an existing account to another machine or the same machine with a new os? Nick Michele Santucci wrote: This's my conf file I still have problems but the error message is different this time, it sounds like (translating it from italian): It's impossible to join this machine to the domain. There's a conflict between the supllied credential and pre existent ones P.S. When v3.0 will be released? bye by(t)e[S]...TuX! # Samba config file created using SWAT # from 0.0.0.0 (0.0.0.0) # Date: 2002/10/25 17:42:26 # Global parameters [global] coding system = client code page = 850 code page directory = /var/lib/samba/codepages workgroup = CCGM netbios name = SERVER-CCGM netbios aliases = netbios scope = server string = CCGM Samba Server interfaces = eth0 bind interfaces only = No security = USER encrypt passwords = Yes update encrypted = No allow trusted domains = Yes hosts equiv = min passwd length = 5 map to guest = Never null passwords = No obey pam restrictions = No password server = smb passwd file = /etc/samba/smbpasswd root directory = pam password change = No passwd program = /usr/bin/passwd passwd chat = *new*password* %n\n *new*password* %n\n *changed* passwd chat debug = No username map = password level = 0 username level = 0 unix password sync = Yes restrict anonymous = No lanman auth = Yes use rhosts = No admin log = No log level = 0 syslog = 1 syslog only = No log file = /var/log/samba/log.%m max log size = 50 timestamp logs = Yes debug hires timestamp = No debug pid = No debug uid = No protocol = NT1 large readwrite = No max protocol = NT1 min protocol = CORE read bmpx = No read raw = Yes write raw = Yes nt smb support = Yes nt pipe support = Yes nt status support = Yes announce version = 4.5 announce as = NT max mux = 50 max xmit = 65535 name resolve order = lmhosts host wins bcast max packet = 65535 max ttl = 259200 max wins ttl = 518400 min wins ttl = 21600 time server = No unix extensions = No change notify timeout = 60 deadtime = 0 getwd cache = Yes keepalive = 300 lpq cache time = 10 max smbd processes = 0 max disk size = 0 max open files = 1 read size = 16384 socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 stat cache size = 50 use mmap = Yes total print jobs = 0 load printers = Yes printcap name = lpstat disable spoolss = No enumports command = addprinter command = deleteprinter command = show add printer wizard = Yes os2 driver map = strip dot = No mangling method = hash character set = mangled stack = 50 stat cache = Yes domain admin group = ccgm-admin domain guest group = machine password timeout = 604800 add user script = delete user script = logon script = logon path = \\%N\%U\profile logon drive = logon home = \\%N\%U domain logons = Yes os level = 65 lm announce = Auto lm interval = 60 preferred master = True local master = Yes domain master = True browse list = Yes enhanced browsing = Yes dns proxy = Yes wins proxy = Yes wins server = wins support = Yes wins hook = kernel oplocks = Yes lock spin count = 3 lock spin time = 10 oplock break wait time = 0 add share command = change share command = delete share command = config file = preload = lock dir = /var/cache/samba pid directory = /var/run/samba utmp directory = wtmp directory = utmp = No default service = message command = dfree command = valid chars = remote announce = remote browse sync = socket address = 0.0.0.0 homedir map = auto.home time offset = 0 NIS homedir = No source environment = panic action = hide local users = No host msdfs = No winbind uid = winbind gid = template homedir = /home/%D/%U template shell = /bin/false winbind separator = \ winbind cache time = 15 winbind enum users = Yes winbind enum groups = Yes winbind use default domain = Yes comment = path = alternate permissions = No username = guest guest account = guest invalid users = valid users = ccgm-admin, ccgm, satya admin users = ccgm-admin read list = write list = printer admin = force user = force group = read only = Yes create mask = 0744 force create mode = 00 security mask = 0777 force security mode = 00 directory mask = 0755 force directory mode = 00 directory security mask = 0777 force directory security mode = 00 force unknown acl user = 00 inherit permissions = No inherit acls = No guest only = No guest ok = No only user = No hosts allow = hosts deny = status = Yes nt acl support = Yes block size = 1024 max connections = 0 min print space = 0 strict allocate = No strict sync = No sync always = No write cache size = 0 max print jobs = 1000 printable = No postscript = No printing = cups print command = lpr -r -P%p %s lpq command =
Re: [Samba] PDC Problems
When do you get this problem and what are your client settings. Are you moving an existing account to another machine or the same machine with a new os? Nick Michele Santucci wrote: This's my conf file I still have problems but the error message is different this time, it sounds like (translating it from italian): It's impossible to join this machine to the domain. There's a conflict between the supllied credential and pre existent ones P.S. When v3.0 will be released? bye by(t)e[S]...TuX! # Samba config file created using SWAT # from 0.0.0.0 (0.0.0.0) # Date: 2002/10/25 17:42:26 # Global parameters [global] coding system = client code page = 850 code page directory = /var/lib/samba/codepages workgroup = CCGM netbios name = SERVER-CCGM netbios aliases = netbios scope = server string = CCGM Samba Server interfaces = eth0 bind interfaces only = No security = USER encrypt passwords = Yes update encrypted = No allow trusted domains = Yes hosts equiv = min passwd length = 5 map to guest = Never null passwords = No obey pam restrictions = No password server = smb passwd file = /etc/samba/smbpasswd root directory = pam password change = No passwd program = /usr/bin/passwd passwd chat = *new*password* %n\n *new*password* %n\n *changed* passwd chat debug = No username map = password level = 0 username level = 0 unix password sync = Yes restrict anonymous = No lanman auth = Yes use rhosts = No admin log = No log level = 0 syslog = 1 syslog only = No log file = /var/log/samba/log.%m max log size = 50 timestamp logs = Yes debug hires timestamp = No debug pid = No debug uid = No protocol = NT1 large readwrite = No max protocol = NT1 min protocol = CORE read bmpx = No read raw = Yes write raw = Yes nt smb support = Yes nt pipe support = Yes nt status support = Yes announce version = 4.5 announce as = NT max mux = 50 max xmit = 65535 name resolve order = lmhosts host wins bcast max packet = 65535 max ttl = 259200 max wins ttl = 518400 min wins ttl = 21600 time server = No unix extensions = No change notify timeout = 60 deadtime = 0 getwd cache = Yes keepalive = 300 lpq cache time = 10 max smbd processes = 0 max disk size = 0 max open files = 1 read size = 16384 socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 stat cache size = 50 use mmap = Yes total print jobs = 0 load printers = Yes printcap name = lpstat disable spoolss = No enumports command = addprinter command = deleteprinter command = show add printer wizard = Yes os2 driver map = strip dot = No mangling method = hash character set = mangled stack = 50 stat cache = Yes domain admin group = ccgm-admin domain guest group = machine password timeout = 604800 add user script = delete user script = logon script = logon path = \\%N\%U\profile logon drive = logon home = \\%N\%U domain logons = Yes os level = 65 lm announce = Auto lm interval = 60 preferred master = True local master = Yes domain master = True browse list = Yes enhanced browsing = Yes dns proxy = Yes wins proxy = Yes wins server = wins support = Yes wins hook = kernel oplocks = Yes lock spin count = 3 lock spin time = 10 oplock break wait time = 0 add share command = change share command = delete share command = config file = preload = lock dir = /var/cache/samba pid directory = /var/run/samba utmp directory = wtmp directory = utmp = No default service = message command = dfree command = valid chars = remote announce = remote browse sync = socket address = 0.0.0.0 homedir map = auto.home time offset = 0 NIS homedir = No source environment = panic action = hide local users = No host msdfs = No winbind uid = winbind gid = template homedir = /home/%D/%U template shell = /bin/false winbind separator = \ winbind cache time = 15 winbind enum users = Yes winbind enum groups = Yes winbind use default domain = Yes comment = path = alternate permissions = No username = guest guest account = guest invalid users = valid users = ccgm-admin, ccgm, satya admin users = ccgm-admin read list = write list = printer admin = force user = force group = read only = Yes create mask = 0744 force create mode = 00 security mask = 0777 force security mode = 00 directory mask = 0755 force directory mode = 00 directory security mask = 0777 force directory security mode = 00 force unknown acl user = 00 inherit permissions = No inherit acls = No guest only = No guest ok = No only user = No hosts allow = hosts deny = status = Yes nt acl support = Yes block size = 1024 max connections = 0 min print space = 0 strict allocate = No strict sync = No sync always = No write cache size = 0 max print jobs = 1000 printable = No postscript = No printing = cups print command = lpr -r -P%p %s lpq command = lpq -P%p lprm command = lprm -P%p %j lppause
Re: [Samba] PDC Problems
On the client machine; Control Panel Administration Tools Local Security Policy Local Policy Security Options Send unencrypted password to third-party SMB servers = enabled Michele Santucci wrote: Are the user and machine$ added to your /etc/passwd and smbpasswd files? all the user already added, I'm trying to add machine$ automatically (via adduser) Also do you have send unencrypted passwd to third party smb servers enabled in you local security policy settings? How? Something like that? encrypt passwords = Yes bye by(t)e[S]...TuX! -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
RE: [Samba] PDC and BDC with LDAP and Samba 2.2.4
On Tue, 4 Jun 2002, Klaus Zahradnik wrote: Nope, I just checked in a Book. It can't act as a Backup Domain Controler. :o( We are talking about two different things here. Samba cannot act as a BDC for a Windows PDC, but my tests showed that we can act as a BDC for another Samba box. cheers, jerry - Hewlett-Packard http://www.hp.com SAMBA Team http://www.samba.org --http://www.plainjoe.org Sam's Teach Yourself Samba in 24 Hours 2ed. ISBN 0-672-32269-2 --I never saved anything for the swim back. Ethan Hawk in Gattaca-- -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
RE: [Samba] PDC and BDC with LDAP and Samba 2.2.4
On Tue, 4 Jun 2002, Yannick Tousignant wrote: In this link : http://www.samba.org/samba/ftp/docs/htmldocs/Samba-BDC-HOWTO.html It seems possible to act like BDC as long as the PDC is a samba machine. I did everyting there, and both servers have the same secrets.tdb file. My testing using an smbpasswd (several months ago worked ok. I never ran the setup in production though. I'll run some tests later this week and see what's going on. For the record, you setup should work as far as I can tell. cheers, jerry - Hewlett-Packard http://www.hp.com SAMBA Team http://www.samba.org --http://www.plainjoe.org Sam's Teach Yourself Samba in 24 Hours 2ed. ISBN 0-672-32269-2 --I never saved anything for the swim back. Ethan Hawk in Gattaca-- -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
RE: [Samba] PDC and BDC with LDAP and Samba 2.2.4
On Tue, 4 Jun 2002, Yannick Tousignant wrote: Hi, I tried to move the current PDC to another machine that have the same LDAP database. It didn't work... There is something about the machine account! How does samba handle this? i could not logon to the moved PDC, so i rejoined the domain (added my machine in TEMP workgroup, reboot, rejoin de domain, reboot), and then it worked! Is there any way i can bypass this? Can the uid's for passwd entries sync'd on bother servers? cheers, jerry - Hewlett-Packard http://www.hp.com SAMBA Team http://www.samba.org --http://www.plainjoe.org Sam's Teach Yourself Samba in 24 Hours 2ed. ISBN 0-672-32269-2 --I never saved anything for the swim back. Ethan Hawk in Gattaca-- -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
RE: [Samba] PDC and BDC with LDAP and Samba 2.2.4
Hi, Thanks for replying me Gerald. Hi, I tried to move the current PDC to another machine that have the same LDAP database. It didn't work... There is something about the machine account! How does samba handle this? i could not logon to the moved PDC, so i rejoined the domain (added my machine in TEMP workgroup, reboot, rejoin de domain, reboot), and then it worked! Is there any way i can bypass this? Can the uid's for passwd entries sync'd on bother servers? That's not the problem, because they are sync'd on both servers using slurpd. How does samba handle the validity of a machine password? If i can solve this, then i can have a BDC... I'm thinking maybe put add a MACHINE.SID file to both servers, with the same SID. Maybe that can solve my problem. I'll keep you informed. Yannick cheers, jerry - Hewlett-Packard http://www.hp.com SAMBA Team http://www.samba.org --http://www.plainjoe.org Sam's Teach Yourself Samba in 24 Hours 2ed. ISBN 0-672-32269-2 --I never saved anything for the swim back. Ethan Hawk in Gattaca-- -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
RE: [Samba] PDC and BDC with LDAP and Samba 2.2.4
Can samba act as a BDC? I thought I read somewhere that it can only be a PDC or a member server. I could be wrong though... Brett -Original Message- From: Yannick Tousignant [mailto:[EMAIL PROTECTED]] Sent: Tuesday, June 04, 2002 7:47 AM To: [EMAIL PROTECTED] Subject: [Samba] PDC and BDC with LDAP and Samba 2.2.4 Hi, I'm trying to build a PDC and BDC to elimenate Windows NT on a network and have load balancing and fault tolerence for users. I've compiled samba 2.2.4 on two servers, working with openldap 2.0.23 with a master and a slave. Replication on LDAP servers works fine. I've set up a domain controller and wanted to set the other server as BDC in case the PDC goes down. Each time i put the domain logons = yes option, some people can't log in, computers seems to seek for a domain controler. Also, logon script aren't executed upon login... When i disconnect network cable on the PDC, users can log into the BDC fine but login script arenèt executed. When i plug back the pdc, some users can't no longer login (bad user). When i disconnect the BDC, everything work fine. For now i disabled the domain logons = yes on the BDC, so there is no load balancing and fault tolerence for users. =( Here is my smb.conf on both servers : PDC : [global] netbios name = PDC workgroup = OKA os level = 64 preferred master = yes domain master = yes local master = yes security = user encrypt passwords = yes domain logons = yes time server = yes ldap suffix = dc=OKA ldap admin dn = cn=ADMIN,dc=OKA ldap ssl = off ldap server = 127.0.0.1 ldap port = 389 logon path = logon home = logon script = users.bat domain admin group = root [netlogon] path = /home/netlogon read only = yes write list = root BDC : [global] netbios name = BDC workgroup = OKA security = user encrypt passwords = yes domain logons = yes os level = 63 local master = yes domain master = no time server = yes ldap suffix = dc=OKA ldap admin dn = cn=ADMIN,dc=OKA ldap ssl = off ldap server = 127.0.0.1 ldap port = 389 logon path = logon home = logon script = users.bat domain admin group = root [netlogon] path = /home/netlogon read only = yes write list = root === Hope i can do something about it... thanks! Yannick Tousignant === Gestion Informatique OKA ltée. Téléphone : (514) 282-9334 (#238) -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
RE: [Samba] PDC and BDC with LDAP and Samba 2.2.4
In this link : http://www.samba.org/samba/ftp/docs/htmldocs/Samba-BDC-HOWTO.html It seems possible to act like BDC as long as the PDC is a samba machine. I did everyting there, and both servers have the same secrets.tdb file. thanks for helping me! Yannick -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Cates, Brett Sent: Tuesday, June 04, 2002 8:55 AM To: 'Yannick Tousignant'; [EMAIL PROTECTED] Subject: RE: [Samba] PDC and BDC with LDAP and Samba 2.2.4 Can samba act as a BDC? I thought I read somewhere that it can only be a PDC or a member server. I could be wrong though... Brett -Original Message- From: Yannick Tousignant [mailto:[EMAIL PROTECTED]] Sent: Tuesday, June 04, 2002 7:47 AM To: [EMAIL PROTECTED] Subject: [Samba] PDC and BDC with LDAP and Samba 2.2.4 Hi, I'm trying to build a PDC and BDC to elimenate Windows NT on a network and have load balancing and fault tolerence for users. I've compiled samba 2.2.4 on two servers, working with openldap 2.0.23 with a master and a slave. Replication on LDAP servers works fine. I've set up a domain controller and wanted to set the other server as BDC in case the PDC goes down. Each time i put the domain logons = yes option, some people can't log in, computers seems to seek for a domain controler. Also, logon script aren't executed upon login... When i disconnect network cable on the PDC, users can log into the BDC fine but login script arenèt executed. When i plug back the pdc, some users can't no longer login (bad user). When i disconnect the BDC, everything work fine. For now i disabled the domain logons = yes on the BDC, so there is no load balancing and fault tolerence for users. =( Here is my smb.conf on both servers : PDC : [global] netbios name = PDC workgroup = OKA os level = 64 preferred master = yes domain master = yes local master = yes security = user encrypt passwords = yes domain logons = yes time server = yes ldap suffix = dc=OKA ldap admin dn = cn=ADMIN,dc=OKA ldap ssl = off ldap server = 127.0.0.1 ldap port = 389 logon path = logon home = logon script = users.bat domain admin group = root [netlogon] path = /home/netlogon read only = yes write list = root BDC : [global] netbios name = BDC workgroup = OKA security = user encrypt passwords = yes domain logons = yes os level = 63 local master = yes domain master = no time server = yes ldap suffix = dc=OKA ldap admin dn = cn=ADMIN,dc=OKA ldap ssl = off ldap server = 127.0.0.1 ldap port = 389 logon path = logon home = logon script = users.bat domain admin group = root [netlogon] path = /home/netlogon read only = yes write list = root === Hope i can do something about it... thanks! Yannick Tousignant === Gestion Informatique OKA ltée. Téléphone : (514) 282-9334 (#238) -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
RE: [Samba] PDC and BDC with LDAP and Samba 2.2.4
Hi, I tried to move the current PDC to another machine that have the same LDAP database. It didn't work... There is something about the machine account! How does samba handle this? i could not logon to the moved PDC, so i rejoined the domain (added my machine in TEMP workgroup, reboot, rejoin de domain, reboot), and then it worked! Is there any way i can bypass this? Yannick -Original Message- From: Tarjei Huse [mailto:[EMAIL PROTECTED]] Sent: Tuesday, June 04, 2002 2:24 PM To: Yannick Tousignant Subject: RE: [Samba] PDC and BDC with LDAP and Samba 2.2.4 Try samba-tng. TH Quoting Yannick Tousignant [EMAIL PROTECTED]: That's exactly what i did, I replicated the ldap database beetween the 2 servers, so it's like im replicating linux users, and samba users. I copied the secrets.tdb from de pdc to de bdc (seems to be the new MACHINE.SID). But when i put domain logons = yes they all seems to authentificate oon the BDC, users that have allready logon once before the bdc was up still work, but logon script aren't executed, and users that never logged in don't work at all (user/passwd don't work at logon). It's pretty weird to me, maybe samba 2.2.4 is not suitable to have 2 servers that users can authetificate. Hope i can find a solution... Yannick -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Tarjei Huse Sent: Tuesday, June 04, 2002 11:02 AM To: Klaus Zahradnik Cc: [EMAIL PROTECTED] Subject: RE: [Samba] PDC and BDC with LDAP and Samba 2.2.4 Did you see the other BDC howto? Combine this with a replicated openldap server and I think you're done, although I've never had the need :) Tarjei PLEASE!?! :o) Klaus On 4 Jun 2002 at 7:55, Cates, Brett wrote: Can samba act as a BDC? I thought I read somewhere that it can only be a PDC or a member server. I could be wrong though... Brett -Original Message- From: Yannick Tousignant [mailto:[EMAIL PROTECTED]] Sent: Tuesday, June 04, 2002 7:47 AM To: [EMAIL PROTECTED] Subject: [Samba] PDC and BDC with LDAP and Samba 2.2.4 Hi, I'm trying to build a PDC and BDC to elimenate Windows NT on a network and have load balancing and fault tolerence for users. I've compiled samba 2.2.4 on two servers, working with openldap 2.0.23 with a master and a slave. Replication on LDAP servers works fine. I've set up a domain controller and wanted to set the other server as BDC in case the PDC goes down. Each time i put the domain logons = yes option, some people can't log in, computers seems to seek for a domain controler. Also, logon script aren't executed upon login... When i disconnect network cable on the PDC, users can log into the BDC fine but login script arenèt executed. When i plug back the pdc, some users can't no longer login (bad user). When i disconnect the BDC, everything work fine. For now i disabled the domain logons = yes on the BDC, so there is no load balancing and fault tolerence for users. =( Here is my smb.conf on both servers : PDC : [global] netbios name = PDC workgroup = OKA os level = 64 preferred master = yes domain master = yes local master = yes security = user encrypt passwords = yes domain logons = yes time server = yes ldap suffix = dc=OKA ldap admin dn = cn=ADMIN,dc=OKA ldap ssl = off ldap server = 127.0.0.1 ldap port = 389 logon path = logon home = logon script = users.bat domain admin group = root [netlogon] path = /home/netlogon read only = yes write list = root BDC : [global] netbios name = BDC workgroup = OKA security = user encrypt passwords = yes domain logons = yes os level = 63 local master = yes domain master = no time server = yes ldap suffix = dc=OKA ldap admin dn = cn=ADMIN,dc=OKA ldap ssl = off ldap server = 127.0.0.1 ldap port = 389 logon path = logon home = logon script = users.bat domain admin group = root [netlogon] path = /home/netlogon read only = yes write list = root === Hope i can do something about it... thanks! Yannick Tousignant === Gestion Informatique
Re: [Samba] PDC login problem solved
»Alexander Skwar« sagte am 2002-05-12 um 09:39:44 + : I've now solved the problem. If you remember, I was unable to login from Windows 2000 to a Samba PDC. Well, seems like I just was lucky with this Windows 2000 :( I'm now trying to join a Windows XP Pro to the domain and am having the exact same problems again: [2002/05/12 12:35:09, 5] libsmb/credentials.c:cred_assert(124) challenge : 7E4AAC6B38C9CDEE [2002/05/12 12:35:09, 5] libsmb/credentials.c:cred_assert(125) calculated: 23F65703AB1FDCFE [2002/05/12 12:35:09, 5] libsmb/credentials.c:cred_assert(134) credentials check wrong Urgs. I've checked the registry for the signorseal bit and set it to 0 (as per the WinXP_reg patch). The computer is named in all lower case both on the Windows side and in Samba. If somebody could please help me :| Alexander Skwar -- How to quote: http://learn.to/quote (german) http://quote.6x.to (english) Homepage: http://www.iso-top.de |Jabber: [EMAIL PROTECTED] iso-top.de - Die günstige Art an Linux Distributionen zu kommen Uptime: 21 hours 35 minutes -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] PDC login problem solved
A few days ago I was in the same situation... The registry patch only fix the Current Control Set, but if you use regedit, you'll se 2 or 3 more controlsets... You have to patch the other controlsets too. Usually the names of those controlsets are Controlset001, Controlset002... Make sure that your smb.conf contains domain logons = Yes Hope this help!! Fernando Alexander Skwar wrote: »Alexander Skwar« sagte am 2002-05-12 um 09:39:44 + : I've now solved the problem. If you remember, I was unable to login from Windows 2000 to a Samba PDC. Well, seems like I just was lucky with this Windows 2000 :( I'm now trying to join a Windows XP Pro to the domain and am having the exact same problems again: [2002/05/12 12:35:09, 5] libsmb/credentials.c:cred_assert(124) challenge : 7E4AAC6B38C9CDEE [2002/05/12 12:35:09, 5] libsmb/credentials.c:cred_assert(125) calculated: 23F65703AB1FDCFE [2002/05/12 12:35:09, 5] libsmb/credentials.c:cred_assert(134) credentials check wrong Urgs. I've checked the registry for the signorseal bit and set it to 0 (as per the WinXP_reg patch). The computer is named in all lower case both on the Windows side and in Samba. If somebody could please help me :| Alexander Skwar -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] PDC login problem solved
»Fernando Maidana« sagte am 2002-05-12 um 12:22:50 -0300 : A few days ago I was in the same situation... The registry patch only fix the Current Control Set, but if you use regedit, you'll se 2 or 3 more controlsets... You have to patch the other controlsets too. Usually the names of those controlsets are Controlset001, Controlset002... Make sure that your smb.conf contains domain logons = Yes Nice idea, however ControlSet001 and ControlSet002 also contain requiresignorseal=0 :( domain logons is yes, else I would not be able to login from my Windows 2000 PC. Hope this help!! Sorry, no, however thanks a lot for your help. Really appreciate it! Alexander Skwar -- How to quote: http://learn.to/quote (german) http://quote.6x.to (english) Homepage: http://www.iso-top.de |Jabber: [EMAIL PROTECTED] iso-top.de - Die günstige Art an Linux Distributionen zu kommen Uptime: 1 day 0 hours 29 minutes -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: Re: [Samba] PDC: Suddenly profiles are no longer retrievable
Maybe this is the same problem I had or might still even have. I seemed to have fixed it. I updated to CVS 2.2.4-pre release, and I disabled in both excel and word the feature to save files every 10 minutes for recreation. I added: nt acl support = no under the [Profiles] section. Today I also disabled link file tracking with Poledit, I want to do that anyway. so far so good. /Mikko At 11:13 2002-04-11, you wrote: On Thu, 4 Apr 2002, Stephan M. Ott wrote: Hi, I'm running Samba 2.2.2 as a PDC for a small network of Windows2000-PCs. Some days ago users reported that they couldn't logon to the domain successfully. When trying by myself, I found that the logon itself works, but that clients cannot receive their profiles from the server. Windows tells no permission. So I checked the access-rights of the profiles - all are correct. When checking the logfiles I found the same errormessage for each logon-attempt: [2002/03/29 09:37:14, 0] rpc_server/srv_netlog.c:api_net_sam_logon(208) api_net_sam_logon: Failed to marshall NET_R_SAM_LOGON. [2002/03/29 09:37:14. 0] rpc_server/srv_pipe.c: api_rpcTNP(1204) api_rpcTNP: api_netlog_rpc: NET_SAMLOGON failed. Ignore this error. It has nothing to do with your profile problem. hi all, what is then the error? i have the equal problem. which i am also unable to solve. greetings thomas - This mail sent through encrypted https://webmail.tronicplanet.de -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba