Re: [Samba] Samba Authentication With Kerberos
Hi Andrew, it is Samba 4 and the server role is active directory domain controller. Thanks and regards, Fabian On 28/01/2013 9:32, Andrew Bartlett wrote: On Sun, 2013-01-27 at 11:48 -0500, Fabian von Romberg wrote: Hi All, Im thrying to setup a server with Samba4 with Kerberos. When I want to see list all shares with smbclient with samba authentication, everything works fine. But when I try to authenticate using Kerberos, I get and error. To be clear, is this Samba 4.0 as an AD DC, or as a member server in another AD domain? The command I execute is: smbclient -L localhost -k The error message from Samba is: using SPNEGO Selected protocol [8][NT LANMAN 1.0] GSS server Update(krb5)(1) Update failed: Miscellaneous failure (see text): Decrypt integrity check failed for checksum type hmac-sha1-96-aes256, key type aes256-cts-hmac-sha1-96 SPNEGO(gssapi_krb5) NEG_TOKEN_INIT failed: NT_STATUS_LOGON_FAILURE SPNEGO login failed: NT_STATUS_LOGON_FAILURE smbclient should never do kerberos to localhost because we can never know which localhost that is. If you have somehow registered a 'localhost' as a servicePrincipalName, then this is likely the cause of the issue. (This error indicates that the key you got from the KDC is not the key that the server has in it's secrets database/keytab.) Andrew Bartlett -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba Authentication With Kerberos
On Sun, 2013-01-27 at 11:48 -0500, Fabian von Romberg wrote: Hi All, Im thrying to setup a server with Samba4 with Kerberos. When I want to see list all shares with smbclient with samba authentication, everything works fine. But when I try to authenticate using Kerberos, I get and error. To be clear, is this Samba 4.0 as an AD DC, or as a member server in another AD domain? The command I execute is: smbclient -L localhost -k The error message from Samba is: using SPNEGO Selected protocol [8][NT LANMAN 1.0] GSS server Update(krb5)(1) Update failed: Miscellaneous failure (see text): Decrypt integrity check failed for checksum type hmac-sha1-96-aes256, key type aes256-cts-hmac-sha1-96 SPNEGO(gssapi_krb5) NEG_TOKEN_INIT failed: NT_STATUS_LOGON_FAILURE SPNEGO login failed: NT_STATUS_LOGON_FAILURE smbclient should never do kerberos to localhost because we can never know which localhost that is. If you have somehow registered a 'localhost' as a servicePrincipalName, then this is likely the cause of the issue. (This error indicates that the key you got from the KDC is not the key that the server has in it's secrets database/keytab.) Andrew Bartlett -- Andrew Bartletthttp://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba Authentication With Kerberos
Thank you, this is a Samba4 host as an AD DC. -Original Message- From: samba-boun...@lists.samba.org [mailto:samba-boun...@lists.samba.org] On Behalf Of Andrew Bartlett Sent: January-28-13 9:32 AM To: Fabian von Romberg Cc: samba@lists.samba.org Subject: Re: [Samba] Samba Authentication With Kerberos On Sun, 2013-01-27 at 11:48 -0500, Fabian von Romberg wrote: Hi All, Im thrying to setup a server with Samba4 with Kerberos. When I want to see list all shares with smbclient with samba authentication, everything works fine. But when I try to authenticate using Kerberos, I get and error. To be clear, is this Samba 4.0 as an AD DC, or as a member server in another AD domain? The command I execute is: smbclient -L localhost -k The error message from Samba is: using SPNEGO Selected protocol [8][NT LANMAN 1.0] GSS server Update(krb5)(1) Update failed: Miscellaneous failure (see text): Decrypt integrity check failed for checksum type hmac-sha1-96-aes256, key type aes256-cts-hmac-sha1-96 SPNEGO(gssapi_krb5) NEG_TOKEN_INIT failed: NT_STATUS_LOGON_FAILURE SPNEGO login failed: NT_STATUS_LOGON_FAILURE smbclient should never do kerberos to localhost because we can never know which localhost that is. If you have somehow registered a 'localhost' as a servicePrincipalName, then this is likely the cause of the issue. (This error indicates that the key you got from the KDC is not the key that the server has in it's secrets database/keytab.) Andrew Bartlett -- Andrew Bartletthttp://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba Authentication With Kerberos
Disregard, that, sorry. -Original Message- From: samba-boun...@lists.samba.org [mailto:samba-boun...@lists.samba.org] On Behalf Of David Salib, Mr Sent: January-28-13 9:38 AM To: Andrew Bartlett; Fabian von Romberg Cc: samba@lists.samba.org Subject: Re: [Samba] Samba Authentication With Kerberos Thank you, this is a Samba4 host as an AD DC. -Original Message- From: samba-boun...@lists.samba.org [mailto:samba-boun...@lists.samba.org] On Behalf Of Andrew Bartlett Sent: January-28-13 9:32 AM To: Fabian von Romberg Cc: samba@lists.samba.org Subject: Re: [Samba] Samba Authentication With Kerberos On Sun, 2013-01-27 at 11:48 -0500, Fabian von Romberg wrote: Hi All, Im thrying to setup a server with Samba4 with Kerberos. When I want to see list all shares with smbclient with samba authentication, everything works fine. But when I try to authenticate using Kerberos, I get and error. To be clear, is this Samba 4.0 as an AD DC, or as a member server in another AD domain? The command I execute is: smbclient -L localhost -k The error message from Samba is: using SPNEGO Selected protocol [8][NT LANMAN 1.0] GSS server Update(krb5)(1) Update failed: Miscellaneous failure (see text): Decrypt integrity check failed for checksum type hmac-sha1-96-aes256, key type aes256-cts-hmac-sha1-96 SPNEGO(gssapi_krb5) NEG_TOKEN_INIT failed: NT_STATUS_LOGON_FAILURE SPNEGO login failed: NT_STATUS_LOGON_FAILURE smbclient should never do kerberos to localhost because we can never know which localhost that is. If you have somehow registered a 'localhost' as a servicePrincipalName, then this is likely the cause of the issue. (This error indicates that the key you got from the KDC is not the key that the server has in it's secrets database/keytab.) Andrew Bartlett -- Andrew Bartletthttp://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba Authentication With Kerberos
Hi Andrew, it is Samba 4 and the server role is active directory domain controller. Thanks and regards, Fabian On 28/01/2013 9:32, Andrew Bartlett wrote: On Sun, 2013-01-27 at 11:48 -0500, Fabian von Romberg wrote: Hi All, Im thrying to setup a server with Samba4 with Kerberos. When I want to see list all shares with smbclient with samba authentication, everything works fine. But when I try to authenticate using Kerberos, I get and error. To be clear, is this Samba 4.0 as an AD DC, or as a member server in another AD domain? The command I execute is: smbclient -L localhost -k The error message from Samba is: using SPNEGO Selected protocol [8][NT LANMAN 1.0] GSS server Update(krb5)(1) Update failed: Miscellaneous failure (see text): Decrypt integrity check failed for checksum type hmac-sha1-96-aes256, key type aes256-cts-hmac-sha1-96 SPNEGO(gssapi_krb5) NEG_TOKEN_INIT failed: NT_STATUS_LOGON_FAILURE SPNEGO login failed: NT_STATUS_LOGON_FAILURE smbclient should never do kerberos to localhost because we can never know which localhost that is. If you have somehow registered a 'localhost' as a servicePrincipalName, then this is likely the cause of the issue. (This error indicates that the key you got from the KDC is not the key that the server has in it's secrets database/keytab.) Andrew Bartlett -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba authentication problem
On 25 March 2011 01:47, Xamindar junkxamin...@gmail.com wrote: On 03/24/2011 03:55 PM, Jeremy Allison wrote: On Thu, Mar 24, 2011 at 03:44:51PM -0700, Xamindar wrote: On 03/24/2011 03:33 PM, Jeremy Allison wrote: Share level security doesn't automatically mean no password. Either use the password for user xamindar, or add Like I stated in the first post, it is not accepting the password for xamindar. It spits back that it is wrong and in the logs I see create_connection_server_info failed: NT_STATUS_WRONG_PASSWORD. The password is correct. It works fine with security set to user. I have tested with the mount command in linux and with a Vista machine, neither are able to connect. map to guest = Bad Password When this is set it will ALWAYS connect as guest because it is not accepting any valid passwords. in the [global] section of your smb.conf. See the smb.conf man page for details. Thanks for the recommendations. Jeremy. Am I missing something vital when security is set to share? Sounds like a bug in your version of the cifsfs kernel module. With security=share try connecting with the same password using smbclient. If it correctly connects then it's cifsfs screwing up somehow. Jeremy. It still rejects it with this messege: # smbclient //172.16.0.7/backup -U xamindar Enter xamindar's password: Domain=[RADNIMAX] OS=[Unix] Server=[Samba 3.5.8] Server not using user level security and no password supplied. Server requested LANMAN password (share-level security) but 'client lanman auth' is disabled tree connect failed: NT_STATUS_ACCESS_DENIED I did type the password even though it is saying no password is supplied. I tried enabling 'client lanman auth' and restarting the server but I still get the same message when trying to connect. Well, as far as I can tell based on discussions here and on samba-technical, security = share is a bit of a hack (the way it works, and not just Samba's implementation) and probably doesn't work in recent versions of Windows anyway (although I haven't tried it). Your test above failed because share level security seems to imply the insecure lanman authentication, but client lanman auth defaults to no, so smbclient refuses to send the password. cifsfs is probably also refusing to use lanman authentication, and there may be an option to tell it to allow lanman auth. I am no expert on this, so if that doesn't work, I can't help. You should probably try getting things to work with security = user and map to guest = Bad Password, though, since security = share has always been dodgy and is likely to cause you trouble in future when you upgrade Samba. -- Michael Wood esiot...@gmail.com -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba authentication problem
Little update. I just found that if I chose Map Network Drive on the vista machine it will authenticate and connect the share as a network drive. Why does it fail when just browsing through network neighborhood? It looks like it is still read only this way. But guest access for this share should be disabled so it makes no sense. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba authentication problem
It seems samba has outgrown it's documentation and this is not possible anymore despite what it states. It would have been nice if someone here could have told me but maybe no one knows? Thanks to those who responded earlier. I found out through lots of searching and chats on irc that you can't do this with share level security. It's a shame, it would have been very useful in a low security home environment. On 4/11/2011 10:54 PM, Xamindar wrote: I'm coming back to this problem after giving it a rest for a while. I find it hard to believe that no one sets up authentication with security set to share. Is that really the case? Is share security deprecated and untested or something? As no one was able to point out what I did wrong in my config before, I decided to try setting this scenario up on a completely different system which runs a different distro (same version of samba afaik). I am having the same exact problem on this other machine so it must be a config issue or samba just doesn't work this way. This time I am testing it by trying to connect to it from a windows xp and vista machine. Both machines keep re-prompting me for the userid and password of the share over and over again after I type the correct password. Why is it so impossible to have a simple username authenticate to a share? At this point to have a little security, I have to make them all guest access read only as nothing else works in this mode. I don't mean to sound a little frustrated but I would have thought samba would be a little more robust than that by now. If it just isn't meant to work this way can someone help me out a little and explain it? I have read through the docs and explanations of the different options many times and can't find a reason it shouldn't work. Thanks for any help, I don't know what else to do. On 3/24/2011 1:00 PM, Xamindar wrote: Hi, I have asked around in other forums but no one seems to know why this doesn't work. I have a backup server with samba on it and am trying to set it up to only allow write access when a user authenticates but to allow reading from anyone (guest). At this time I have guest disabled and a minimal config set up as shown below to try to narrow down the problem. I have added the user xamindar using smbpasswd on the server. I then tried to mount the backup share from another machine with the following command: mount -t cifs //chiroru/backup /mnt/temp -o username=xamindar But I keep getting the following response: mount error(13): Permission denied Refer to the mount.cifs(8) manual page (e.g. man mount.cifs) Can anyone tell me what I am doing wrong here? I am sure I have missed something. It is possible to authenticate per share with share level security is it not? I just can't get authentication to work no matter what I have tried on this machine. With guest enabled it will just use the guest account and that works fine. Thanks for any help, I am pulling my hair out here. ***smb.conf*** [global] server string = Backup and Multimedia server security = SHARE smb passwd file = /etc/samba/private/passdb.tdb load printers = No disable spoolss = Yes show add printer wizard = No write list = xamindar printing = bsd print command = lpr -r -P'%p' %s lpq command = lpq -P'%p' lprm command = lprm -P'%p' %j map hidden = Yes map system = Yes [backup] path = /mnt/user/backup ** -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba authentication problem
I'm coming back to this problem after giving it a rest for a while. I find it hard to believe that no one sets up authentication with security set to share. Is that really the case? Is share security deprecated and untested or something? As no one was able to point out what I did wrong in my config before, I decided to try setting this scenario up on a completely different system which runs a different distro (same version of samba afaik). I am having the same exact problem on this other machine so it must be a config issue or samba just doesn't work this way. This time I am testing it by trying to connect to it from a windows xp and vista machine. Both machines keep re-prompting me for the userid and password of the share over and over again after I type the correct password. Why is it so impossible to have a simple username authenticate to a share? At this point to have a little security, I have to make them all guest access read only as nothing else works in this mode. I don't mean to sound a little frustrated but I would have thought samba would be a little more robust than that by now. If it just isn't meant to work this way can someone help me out a little and explain it? I have read through the docs and explanations of the different options many times and can't find a reason it shouldn't work. Thanks for any help, I don't know what else to do. On 3/24/2011 1:00 PM, Xamindar wrote: Hi, I have asked around in other forums but no one seems to know why this doesn't work. I have a backup server with samba on it and am trying to set it up to only allow write access when a user authenticates but to allow reading from anyone (guest). At this time I have guest disabled and a minimal config set up as shown below to try to narrow down the problem. I have added the user xamindar using smbpasswd on the server. I then tried to mount the backup share from another machine with the following command: mount -t cifs //chiroru/backup /mnt/temp -o username=xamindar But I keep getting the following response: mount error(13): Permission denied Refer to the mount.cifs(8) manual page (e.g. man mount.cifs) Can anyone tell me what I am doing wrong here? I am sure I have missed something. It is possible to authenticate per share with share level security is it not? I just can't get authentication to work no matter what I have tried on this machine. With guest enabled it will just use the guest account and that works fine. Thanks for any help, I am pulling my hair out here. ***smb.conf*** [global] server string = Backup and Multimedia server security = SHARE smb passwd file = /etc/samba/private/passdb.tdb load printers = No disable spoolss = Yes show add printer wizard = No write list = xamindar printing = bsd print command = lpr -r -P'%p' %s lpq command = lpq -P'%p' lprm command = lprm -P'%p' %j map hidden = Yes map system = Yes [backup] path = /mnt/user/backup ** -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba Authentication wrecking my head [ADS]
The is no /var/cache/samba folder. Any idea what files im looking for? -Original Message- From: Dale Schroeder [mailto:d...@briannassaladdressing.com] Sent: Wednesday, March 30, 2011 7:50 PM To: Brian O'Mahony Cc: Samba Subject: Re: [Samba] Samba Authentication wrecking my head [ADS] Also check /var/cache/samba Dale On 03/30/2011 11:48 AM, Brian O'Mahony wrote: samba3-3.4.11-42.el5 However I have moved to using idmap_rid, as I will have cold standbys of machines that I want to be able to access SAN data, with the same IDs. So how does one go about clearing the samba user cache? I had it set up with users starting at 1. With RID I have now brought this down to 500 (so I can easily see the difference). I deleted the winbindd_* files folder in /var/lib/samba, but when I use a getent passwd brian.omahony its showing the id as 10 Thanks B -Original Message- From: samba-boun...@lists.samba.org [mailto:samba-boun...@lists.samba.org] On Behalf Of Gaiseric Vandal Sent: Wednesday, March 30, 2011 4:28 PM To: Samba Subject: Re: [Samba] Samba Authentication wrecking my head [ADS] What version of samba? I found that samba 3.0.x (as bundled with solaris) had problems with idmap. This was with LDAP backend, a Samba DC with trusts to Windows 2003 domain (in NT domain compatibility mode.) Samba would allocate idmap entries in ldap, and would populate the TDB cache files. but when the cache timeout expired, the cache files were not repopulated. Long and short- I don't think Samba 3.0.x plays nice with Windows 2003. It doesn't work with Windows 2008 domains (2003 mode.) On 03/30/2011 10:07 AM, Brian O'Mahony wrote: After a bit of googling, I found that the idmap has been corrupted. Why would/could this happen? -Original Message- From: samba-boun...@lists.samba.org [mailto:samba-boun...@lists.samba.org] On Behalf Of Brian O'Mahony Sent: Wednesday, March 30, 2011 2:37 PM To: samba@lists.samba.org Subject: [Samba] Samba Authentication wrecking my head [ADS] Ive recently installed three servers with RHEL5u5. After some messing on the original, I got samba working with ADS authentication. I then went and got it working so that users could log in using their domain name password to the box. I got this working with both no restriction, and ADS group restriction. I have left it on no restriction wheil I get these systems up and running. I then copied my configuration files (krb5.conf, samba.conf, system-auth.conf) to the second machine. Everything works. Rebooted, everything is fine. System running as expected. I copied to the third machine. Everything worked fine. I was able to log in using two users (mine and a colleagues). Set up some other machine stuff, rebooted, and passed the machine over. I was then informed (naturally 5mins after I left the office) that there was something wrong. Those two accounts worked from both a samba perspective, and a login perspective. However a third account that was supposed to work, failed with su: user ccadm does not exist. Now samba doesn't work for any user other than the original too, and the same goes for logins. I tried net ads leave, kdestory, renaming the system, rebooting. I have rejoined the domain as both that system name, and a new one, with no issues: [root@akbarTRAP log]# wbinfo -t checking the trust secret via RPC calls succeeded [root@akbarTRAP log]# net ads testjoin Join is OK [root@akbarTRAP log]# wbinfo -u | grep ccadm Ccadm So my questions are: 1. Where the hell are these accounts being cached, that work. 2. What the hell has happened to make this no longer work. 3. Why if I can see all the users groups can I not log in, or get samba working. This is really starting to get on my nerves. I just cannot understand why if it can see the users using wbinfo, why it is telling me they don't exist. Would really appreciate some help on this. Regards B [root@akbarTRAP etc]# cat /etc/nsswitch.conf | grep winbind passwd: files winbind shadow: files winbind group: files winbind log.winbind: [2011/03/30 14:29:03, 3] winbindd/winbindd_misc.c:754(winbindd_interface_version) [ 7381]: request interface version [2011/03/30 14:29:03, 3] winbindd/winbindd_misc.c:787(winbindd_priv_pipe_dir) [ 7381]: request location of privileged pipe [2011/03/30 14:29:03, 3] winbindd/winbindd_user.c:438(winbindd_getpwnam) [ 7381]: getpwnam ccadm [2011/03/30 14:29:05, 3] winbindd/winbindd_user.c:438(winbindd_getpwnam) [ 7381]: getpwnam ccadm [2011/03/30 14:29:05, 3] winbindd/winbindd_misc.c:754(winbindd_interface_version) [ 7381]: request interface version [2011/03/30 14:29:05, 3] winbindd/winbindd_misc.c:787(winbindd_priv_pipe_dir) [ 7381]: request location of privileged pipe [2011/03/30 14:29:05, 3] winbindd/winbindd_pam.c:829(winbindd_pam_auth
Re: [Samba] Samba Authentication wrecking my head [ADS]
I deleted *everything* in /var/lib/samba and it worked. -Original Message- From: samba-boun...@lists.samba.org [mailto:samba-boun...@lists.samba.org] On Behalf Of Brian O'Mahony Sent: Thursday, March 31, 2011 10:03 AM To: 'Dale Schroeder' Cc: Samba Subject: Re: [Samba] Samba Authentication wrecking my head [ADS] The is no /var/cache/samba folder. Any idea what files im looking for? -Original Message- From: Dale Schroeder [mailto:d...@briannassaladdressing.com] Sent: Wednesday, March 30, 2011 7:50 PM To: Brian O'Mahony Cc: Samba Subject: Re: [Samba] Samba Authentication wrecking my head [ADS] Also check /var/cache/samba Dale On 03/30/2011 11:48 AM, Brian O'Mahony wrote: samba3-3.4.11-42.el5 However I have moved to using idmap_rid, as I will have cold standbys of machines that I want to be able to access SAN data, with the same IDs. So how does one go about clearing the samba user cache? I had it set up with users starting at 1. With RID I have now brought this down to 500 (so I can easily see the difference). I deleted the winbindd_* files folder in /var/lib/samba, but when I use a getent passwd brian.omahony its showing the id as 10 Thanks B -Original Message- From: samba-boun...@lists.samba.org [mailto:samba-boun...@lists.samba.org] On Behalf Of Gaiseric Vandal Sent: Wednesday, March 30, 2011 4:28 PM To: Samba Subject: Re: [Samba] Samba Authentication wrecking my head [ADS] What version of samba? I found that samba 3.0.x (as bundled with solaris) had problems with idmap. This was with LDAP backend, a Samba DC with trusts to Windows 2003 domain (in NT domain compatibility mode.) Samba would allocate idmap entries in ldap, and would populate the TDB cache files. but when the cache timeout expired, the cache files were not repopulated. Long and short- I don't think Samba 3.0.x plays nice with Windows 2003. It doesn't work with Windows 2008 domains (2003 mode.) On 03/30/2011 10:07 AM, Brian O'Mahony wrote: After a bit of googling, I found that the idmap has been corrupted. Why would/could this happen? -Original Message- From: samba-boun...@lists.samba.org [mailto:samba-boun...@lists.samba.org] On Behalf Of Brian O'Mahony Sent: Wednesday, March 30, 2011 2:37 PM To: samba@lists.samba.org Subject: [Samba] Samba Authentication wrecking my head [ADS] Ive recently installed three servers with RHEL5u5. After some messing on the original, I got samba working with ADS authentication. I then went and got it working so that users could log in using their domain name password to the box. I got this working with both no restriction, and ADS group restriction. I have left it on no restriction wheil I get these systems up and running. I then copied my configuration files (krb5.conf, samba.conf, system-auth.conf) to the second machine. Everything works. Rebooted, everything is fine. System running as expected. I copied to the third machine. Everything worked fine. I was able to log in using two users (mine and a colleagues). Set up some other machine stuff, rebooted, and passed the machine over. I was then informed (naturally 5mins after I left the office) that there was something wrong. Those two accounts worked from both a samba perspective, and a login perspective. However a third account that was supposed to work, failed with su: user ccadm does not exist. Now samba doesn't work for any user other than the original too, and the same goes for logins. I tried net ads leave, kdestory, renaming the system, rebooting. I have rejoined the domain as both that system name, and a new one, with no issues: [root@akbarTRAP log]# wbinfo -t checking the trust secret via RPC calls succeeded [root@akbarTRAP log]# net ads testjoin Join is OK [root@akbarTRAP log]# wbinfo -u | grep ccadm Ccadm So my questions are: 1. Where the hell are these accounts being cached, that work. 2. What the hell has happened to make this no longer work. 3. Why if I can see all the users groups can I not log in, or get samba working. This is really starting to get on my nerves. I just cannot understand why if it can see the users using wbinfo, why it is telling me they don't exist. Would really appreciate some help on this. Regards B [root@akbarTRAP etc]# cat /etc/nsswitch.conf | grep winbind passwd: files winbind shadow: files winbind group: files winbind log.winbind: [2011/03/30 14:29:03, 3] winbindd/winbindd_misc.c:754(winbindd_interface_version) [ 7381]: request interface version [2011/03/30 14:29:03, 3] winbindd/winbindd_misc.c:787(winbindd_priv_pipe_dir) [ 7381]: request location of privileged pipe [2011/03/30 14:29:03, 3] winbindd/winbindd_user.c:438(winbindd_getpwnam) [ 7381]: getpwnam ccadm [2011/03/30 14:29:05, 3] winbindd/winbindd_user.c:438(winbindd_getpwnam) [ 7381]: getpwnam ccadm [2011/03/30 14
Re: [Samba] Samba Authentication wrecking my head [ADS]
After a bit of googling, I found that the idmap has been corrupted. Why would/could this happen? -Original Message- From: samba-boun...@lists.samba.org [mailto:samba-boun...@lists.samba.org] On Behalf Of Brian O'Mahony Sent: Wednesday, March 30, 2011 2:37 PM To: samba@lists.samba.org Subject: [Samba] Samba Authentication wrecking my head [ADS] Ive recently installed three servers with RHEL5u5. After some messing on the original, I got samba working with ADS authentication. I then went and got it working so that users could log in using their domain name password to the box. I got this working with both no restriction, and ADS group restriction. I have left it on no restriction wheil I get these systems up and running. I then copied my configuration files (krb5.conf, samba.conf, system-auth.conf) to the second machine. Everything works. Rebooted, everything is fine. System running as expected. I copied to the third machine. Everything worked fine. I was able to log in using two users (mine and a colleagues). Set up some other machine stuff, rebooted, and passed the machine over. I was then informed (naturally 5mins after I left the office) that there was something wrong. Those two accounts worked from both a samba perspective, and a login perspective. However a third account that was supposed to work, failed with su: user ccadm does not exist. Now samba doesn't work for any user other than the original too, and the same goes for logins. I tried net ads leave, kdestory, renaming the system, rebooting. I have rejoined the domain as both that system name, and a new one, with no issues: [root@akbarTRAP log]# wbinfo -t checking the trust secret via RPC calls succeeded [root@akbarTRAP log]# net ads testjoin Join is OK [root@akbarTRAP log]# wbinfo -u | grep ccadm Ccadm So my questions are: 1. Where the hell are these accounts being cached, that work. 2. What the hell has happened to make this no longer work. 3. Why if I can see all the users groups can I not log in, or get samba working. This is really starting to get on my nerves. I just cannot understand why if it can see the users using wbinfo, why it is telling me they don't exist. Would really appreciate some help on this. Regards B [root@akbarTRAP etc]# cat /etc/nsswitch.conf | grep winbind passwd: files winbind shadow: files winbind group: files winbind log.winbind: [2011/03/30 14:29:03, 3] winbindd/winbindd_misc.c:754(winbindd_interface_version) [ 7381]: request interface version [2011/03/30 14:29:03, 3] winbindd/winbindd_misc.c:787(winbindd_priv_pipe_dir) [ 7381]: request location of privileged pipe [2011/03/30 14:29:03, 3] winbindd/winbindd_user.c:438(winbindd_getpwnam) [ 7381]: getpwnam ccadm [2011/03/30 14:29:05, 3] winbindd/winbindd_user.c:438(winbindd_getpwnam) [ 7381]: getpwnam ccadm [2011/03/30 14:29:05, 3] winbindd/winbindd_misc.c:754(winbindd_interface_version) [ 7381]: request interface version [2011/03/30 14:29:05, 3] winbindd/winbindd_misc.c:787(winbindd_priv_pipe_dir) [ 7381]: request location of privileged pipe [2011/03/30 14:29:05, 3] winbindd/winbindd_pam.c:829(winbindd_pam_auth) [ 7381]: pam auth ccadm [2011/03/30 14:29:05, 3] winbindd/winbindd_user.c:438(winbindd_getpwnam) [ 7381]: getpwnam ccadm Secure log: Mar 30 14:29:03 akbartrap sshd[7381]: Invalid user ccadm from 172.16.165.248 Mar 30 14:29:03 akbartrap sshd[7382]: input_userauth_request: invalid user ccadm Mar 30 14:29:05 akbartrap sshd[7381]: pam_unix(sshd:auth): check pass; user unknown Mar 30 14:29:05 akbartrap sshd[7381]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=galvatron.MYDOMAIN.com Mar 30 14:29:05 akbartrap sshd[7381]: pam_winbind(sshd:auth): getting password (0x0010) Mar 30 14:29:05 akbartrap sshd[7381]: pam_winbind(sshd:auth): pam_get_item returned a password Mar 30 14:29:05 akbartrap sshd[7381]: pam_winbind(sshd:auth): request wbcLogonUser failed: WBC_ERR_AUTH_ERROR, PAM error: PAM_AUTH_ERR (7), NTSTATUS: NT_STATUS_WRONG_PASSWORD, Error message was: Wrong Password [I know the pass is right here. It works elsewhere] Mar 30 14:29:05 akbartrap sshd[7381]: pam_winbind(sshd:auth): user 'ccadm' denied access (incorrect password or invalid membership) Mar 30 14:29:05 ak bartrap sshd[7381]: pam_succeed_if(sshd:auth): error retrieving information about user ccadm Mar 30 14:29:07 akbartrap sshd[7381]: Failed password for invalid user ccadm from 172.16.165.248 port 39699 ssh2 # Global parameters [global] workgroup = GROUP realm = MYDOMAIN.COM security = ads idmap uid = 1-2 idmap gid = 1-2 winbind use default domain = Yes winbind separator = / encrypt passwords = Yes log level = 3 log file = /var/log/samba/log.%m max log size = 50 socket options = TCP_NODELAY SO_RCVBUF=16384 SO_SNDBUF=16384
Re: [Samba] Samba Authentication wrecking my head [ADS]
What version of samba? I found that samba 3.0.x (as bundled with solaris) had problems with idmap. This was with LDAP backend, a Samba DC with trusts to Windows 2003 domain (in NT domain compatibility mode.) Samba would allocate idmap entries in ldap, and would populate the TDB cache files. but when the cache timeout expired, the cache files were not repopulated. Long and short- I don't think Samba 3.0.x plays nice with Windows 2003. It doesn't work with Windows 2008 domains (2003 mode.) On 03/30/2011 10:07 AM, Brian O'Mahony wrote: After a bit of googling, I found that the idmap has been corrupted. Why would/could this happen? -Original Message- From: samba-boun...@lists.samba.org [mailto:samba-boun...@lists.samba.org] On Behalf Of Brian O'Mahony Sent: Wednesday, March 30, 2011 2:37 PM To: samba@lists.samba.org Subject: [Samba] Samba Authentication wrecking my head [ADS] Ive recently installed three servers with RHEL5u5. After some messing on the original, I got samba working with ADS authentication. I then went and got it working so that users could log in using their domain name password to the box. I got this working with both no restriction, and ADS group restriction. I have left it on no restriction wheil I get these systems up and running. I then copied my configuration files (krb5.conf, samba.conf, system-auth.conf) to the second machine. Everything works. Rebooted, everything is fine. System running as expected. I copied to the third machine. Everything worked fine. I was able to log in using two users (mine and a colleagues). Set up some other machine stuff, rebooted, and passed the machine over. I was then informed (naturally 5mins after I left the office) that there was something wrong. Those two accounts worked from both a samba perspective, and a login perspective. However a third account that was supposed to work, failed with su: user ccadm does not exist. Now samba doesn't work for any user other than the original too, and the same goes for logins. I tried net ads leave, kdestory, renaming the system, rebooting. I have rejoined the domain as both that system name, and a new one, with no issues: [root@akbarTRAP log]# wbinfo -t checking the trust secret via RPC calls succeeded [root@akbarTRAP log]# net ads testjoin Join is OK [root@akbarTRAP log]# wbinfo -u | grep ccadm Ccadm So my questions are: 1. Where the hell are these accounts being cached, that work. 2. What the hell has happened to make this no longer work. 3. Why if I can see all the users groups can I not log in, or get samba working. This is really starting to get on my nerves. I just cannot understand why if it can see the users using wbinfo, why it is telling me they don't exist. Would really appreciate some help on this. Regards B [root@akbarTRAP etc]# cat /etc/nsswitch.conf | grep winbind passwd: files winbind shadow: files winbind group: files winbind log.winbind: [2011/03/30 14:29:03, 3] winbindd/winbindd_misc.c:754(winbindd_interface_version) [ 7381]: request interface version [2011/03/30 14:29:03, 3] winbindd/winbindd_misc.c:787(winbindd_priv_pipe_dir) [ 7381]: request location of privileged pipe [2011/03/30 14:29:03, 3] winbindd/winbindd_user.c:438(winbindd_getpwnam) [ 7381]: getpwnam ccadm [2011/03/30 14:29:05, 3] winbindd/winbindd_user.c:438(winbindd_getpwnam) [ 7381]: getpwnam ccadm [2011/03/30 14:29:05, 3] winbindd/winbindd_misc.c:754(winbindd_interface_version) [ 7381]: request interface version [2011/03/30 14:29:05, 3] winbindd/winbindd_misc.c:787(winbindd_priv_pipe_dir) [ 7381]: request location of privileged pipe [2011/03/30 14:29:05, 3] winbindd/winbindd_pam.c:829(winbindd_pam_auth) [ 7381]: pam auth ccadm [2011/03/30 14:29:05, 3] winbindd/winbindd_user.c:438(winbindd_getpwnam) [ 7381]: getpwnam ccadm Secure log: Mar 30 14:29:03 akbartrap sshd[7381]: Invalid user ccadm from 172.16.165.248 Mar 30 14:29:03 akbartrap sshd[7382]: input_userauth_request: invalid user ccadm Mar 30 14:29:05 akbartrap sshd[7381]: pam_unix(sshd:auth): check pass; user unknown Mar 30 14:29:05 akbartrap sshd[7381]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=galvatron.MYDOMAIN.com Mar 30 14:29:05 akbartrap sshd[7381]: pam_winbind(sshd:auth): getting password (0x0010) Mar 30 14:29:05 akbartrap sshd[7381]: pam_winbind(sshd:auth): pam_get_item returned a password Mar 30 14:29:05 akbartrap sshd[7381]: pam_winbind(sshd:auth): request wbcLogonUser failed: WBC_ERR_AUTH_ERROR, PAM error: PAM_AUTH_ERR (7), NTSTATUS: NT_STATUS_WRONG_PASSWORD, Error message was: Wrong Password [I know the pass is right here. It works elsewhere] Mar 30 14:29:05 akbartrap sshd[7381]: pam_winbind(sshd:auth): user 'ccadm' denied access (incorrect password or invalid membership) Mar 30 14:29:05 ak bartrap sshd[7381]: pam_succeed_if(sshd:auth): error retrieving information about user
Re: [Samba] Samba Authentication wrecking my head [ADS]
samba3-3.4.11-42.el5 However I have moved to using idmap_rid, as I will have cold standbys of machines that I want to be able to access SAN data, with the same IDs. So how does one go about clearing the samba user cache? I had it set up with users starting at 1. With RID I have now brought this down to 500 (so I can easily see the difference). I deleted the winbindd_* files folder in /var/lib/samba, but when I use a getent passwd brian.omahony its showing the id as 10 Thanks B -Original Message- From: samba-boun...@lists.samba.org [mailto:samba-boun...@lists.samba.org] On Behalf Of Gaiseric Vandal Sent: Wednesday, March 30, 2011 4:28 PM To: Samba Subject: Re: [Samba] Samba Authentication wrecking my head [ADS] What version of samba? I found that samba 3.0.x (as bundled with solaris) had problems with idmap. This was with LDAP backend, a Samba DC with trusts to Windows 2003 domain (in NT domain compatibility mode.) Samba would allocate idmap entries in ldap, and would populate the TDB cache files. but when the cache timeout expired, the cache files were not repopulated. Long and short- I don't think Samba 3.0.x plays nice with Windows 2003. It doesn't work with Windows 2008 domains (2003 mode.) On 03/30/2011 10:07 AM, Brian O'Mahony wrote: After a bit of googling, I found that the idmap has been corrupted. Why would/could this happen? -Original Message- From: samba-boun...@lists.samba.org [mailto:samba-boun...@lists.samba.org] On Behalf Of Brian O'Mahony Sent: Wednesday, March 30, 2011 2:37 PM To: samba@lists.samba.org Subject: [Samba] Samba Authentication wrecking my head [ADS] Ive recently installed three servers with RHEL5u5. After some messing on the original, I got samba working with ADS authentication. I then went and got it working so that users could log in using their domain name password to the box. I got this working with both no restriction, and ADS group restriction. I have left it on no restriction wheil I get these systems up and running. I then copied my configuration files (krb5.conf, samba.conf, system-auth.conf) to the second machine. Everything works. Rebooted, everything is fine. System running as expected. I copied to the third machine. Everything worked fine. I was able to log in using two users (mine and a colleagues). Set up some other machine stuff, rebooted, and passed the machine over. I was then informed (naturally 5mins after I left the office) that there was something wrong. Those two accounts worked from both a samba perspective, and a login perspective. However a third account that was supposed to work, failed with su: user ccadm does not exist. Now samba doesn't work for any user other than the original too, and the same goes for logins. I tried net ads leave, kdestory, renaming the system, rebooting. I have rejoined the domain as both that system name, and a new one, with no issues: [root@akbarTRAP log]# wbinfo -t checking the trust secret via RPC calls succeeded [root@akbarTRAP log]# net ads testjoin Join is OK [root@akbarTRAP log]# wbinfo -u | grep ccadm Ccadm So my questions are: 1. Where the hell are these accounts being cached, that work. 2. What the hell has happened to make this no longer work. 3. Why if I can see all the users groups can I not log in, or get samba working. This is really starting to get on my nerves. I just cannot understand why if it can see the users using wbinfo, why it is telling me they don't exist. Would really appreciate some help on this. Regards B [root@akbarTRAP etc]# cat /etc/nsswitch.conf | grep winbind passwd: files winbind shadow: files winbind group: files winbind log.winbind: [2011/03/30 14:29:03, 3] winbindd/winbindd_misc.c:754(winbindd_interface_version) [ 7381]: request interface version [2011/03/30 14:29:03, 3] winbindd/winbindd_misc.c:787(winbindd_priv_pipe_dir) [ 7381]: request location of privileged pipe [2011/03/30 14:29:03, 3] winbindd/winbindd_user.c:438(winbindd_getpwnam) [ 7381]: getpwnam ccadm [2011/03/30 14:29:05, 3] winbindd/winbindd_user.c:438(winbindd_getpwnam) [ 7381]: getpwnam ccadm [2011/03/30 14:29:05, 3] winbindd/winbindd_misc.c:754(winbindd_interface_version) [ 7381]: request interface version [2011/03/30 14:29:05, 3] winbindd/winbindd_misc.c:787(winbindd_priv_pipe_dir) [ 7381]: request location of privileged pipe [2011/03/30 14:29:05, 3] winbindd/winbindd_pam.c:829(winbindd_pam_auth) [ 7381]: pam auth ccadm [2011/03/30 14:29:05, 3] winbindd/winbindd_user.c:438(winbindd_getpwnam) [ 7381]: getpwnam ccadm Secure log: Mar 30 14:29:03 akbartrap sshd[7381]: Invalid user ccadm from 172.16.165.248 Mar 30 14:29:03 akbartrap sshd[7382]: input_userauth_request: invalid user ccadm Mar 30 14:29:05 akbartrap sshd[7381]: pam_unix(sshd:auth): check pass; user unknown Mar 30 14:29:05 akbartrap
Re: [Samba] Samba Authentication wrecking my head [ADS]
Also check /var/cache/samba Dale On 03/30/2011 11:48 AM, Brian O'Mahony wrote: samba3-3.4.11-42.el5 However I have moved to using idmap_rid, as I will have cold standbys of machines that I want to be able to access SAN data, with the same IDs. So how does one go about clearing the samba user cache? I had it set up with users starting at 1. With RID I have now brought this down to 500 (so I can easily see the difference). I deleted the winbindd_* files folder in /var/lib/samba, but when I use a getent passwd brian.omahony its showing the id as 10 Thanks B -Original Message- From: samba-boun...@lists.samba.org [mailto:samba-boun...@lists.samba.org] On Behalf Of Gaiseric Vandal Sent: Wednesday, March 30, 2011 4:28 PM To: Samba Subject: Re: [Samba] Samba Authentication wrecking my head [ADS] What version of samba? I found that samba 3.0.x (as bundled with solaris) had problems with idmap. This was with LDAP backend, a Samba DC with trusts to Windows 2003 domain (in NT domain compatibility mode.) Samba would allocate idmap entries in ldap, and would populate the TDB cache files. but when the cache timeout expired, the cache files were not repopulated. Long and short- I don't think Samba 3.0.x plays nice with Windows 2003. It doesn't work with Windows 2008 domains (2003 mode.) On 03/30/2011 10:07 AM, Brian O'Mahony wrote: After a bit of googling, I found that the idmap has been corrupted. Why would/could this happen? -Original Message- From: samba-boun...@lists.samba.org [mailto:samba-boun...@lists.samba.org] On Behalf Of Brian O'Mahony Sent: Wednesday, March 30, 2011 2:37 PM To: samba@lists.samba.org Subject: [Samba] Samba Authentication wrecking my head [ADS] Ive recently installed three servers with RHEL5u5. After some messing on the original, I got samba working with ADS authentication. I then went and got it working so that users could log in using their domain name password to the box. I got this working with both no restriction, and ADS group restriction. I have left it on no restriction wheil I get these systems up and running. I then copied my configuration files (krb5.conf, samba.conf, system-auth.conf) to the second machine. Everything works. Rebooted, everything is fine. System running as expected. I copied to the third machine. Everything worked fine. I was able to log in using two users (mine and a colleagues). Set up some other machine stuff, rebooted, and passed the machine over. I was then informed (naturally 5mins after I left the office) that there was something wrong. Those two accounts worked from both a samba perspective, and a login perspective. However a third account that was supposed to work, failed with su: user ccadm does not exist. Now samba doesn't work for any user other than the original too, and the same goes for logins. I tried net ads leave, kdestory, renaming the system, rebooting. I have rejoined the domain as both that system name, and a new one, with no issues: [root@akbarTRAP log]# wbinfo -t checking the trust secret via RPC calls succeeded [root@akbarTRAP log]# net ads testjoin Join is OK [root@akbarTRAP log]# wbinfo -u | grep ccadm Ccadm So my questions are: 1. Where the hell are these accounts being cached, that work. 2. What the hell has happened to make this no longer work. 3. Why if I can see all the users groups can I not log in, or get samba working. This is really starting to get on my nerves. I just cannot understand why if it can see the users using wbinfo, why it is telling me they don't exist. Would really appreciate some help on this. Regards B [root@akbarTRAP etc]# cat /etc/nsswitch.conf | grep winbind passwd: files winbind shadow: files winbind group: files winbind log.winbind: [2011/03/30 14:29:03, 3] winbindd/winbindd_misc.c:754(winbindd_interface_version) [ 7381]: request interface version [2011/03/30 14:29:03, 3] winbindd/winbindd_misc.c:787(winbindd_priv_pipe_dir) [ 7381]: request location of privileged pipe [2011/03/30 14:29:03, 3] winbindd/winbindd_user.c:438(winbindd_getpwnam) [ 7381]: getpwnam ccadm [2011/03/30 14:29:05, 3] winbindd/winbindd_user.c:438(winbindd_getpwnam) [ 7381]: getpwnam ccadm [2011/03/30 14:29:05, 3] winbindd/winbindd_misc.c:754(winbindd_interface_version) [ 7381]: request interface version [2011/03/30 14:29:05, 3] winbindd/winbindd_misc.c:787(winbindd_priv_pipe_dir) [ 7381]: request location of privileged pipe [2011/03/30 14:29:05, 3] winbindd/winbindd_pam.c:829(winbindd_pam_auth) [ 7381]: pam auth ccadm [2011/03/30 14:29:05, 3] winbindd/winbindd_user.c:438(winbindd_getpwnam) [ 7381]: getpwnam ccadm Secure log: Mar 30 14:29:03 akbartrap sshd[7381]: Invalid user ccadm from 172.16.165.248 Mar 30 14:29:03 akbartrap sshd[7382]: input_userauth_request: invalid user ccadm Mar 30 14:29:05 akbartrap sshd[7381]: pam_unix(sshd:auth): check pass; user unknown Mar 30 14
Re: [Samba] Samba authentication problem
From: Xamindar junkxamin...@gmail.com Date: Thu, 24 Mar 2011 16:47:16 -0700 Sounds like a bug in your version of the cifsfs kernel module. With security=share try connecting with the same password using smbclient. If it correctly connects then it's cifsfs screwing up somehow. Jeremy. It still rejects it with this messege: # smbclient //172.16.0.7/backup -U xamindar Enter xamindar's password: Domain=[RADNIMAX] OS=[Unix] Server=[Samba 3.5.8] Server not using user level security and no password supplied. Server requested LANMAN password (share-level security) but 'client lanman auth' is disabled tree connect failed: NT_STATUS_ACCESS_DENIED I did type the password even though it is saying no password is supplied. I tried enabling 'client lanman auth' and restarting the server but I still get the same message when trying to connect. As far as I examined with smbclient of Samba 3.5.8, the same issue occurs but mount.cifs works well. My smb.conf: - [global] security = share [tmp] path = /tmp - # /usr/local/samba/sbin/mount.cifs //192.168.135.128/tmp /smb1 -o user=monyo%password # df -k | grep /smb1 7850996 2059428 5392756 28% /smb1 # /usr/local/samba/bin/smbclient //192.168.135.128/tmp -o monyo%password Domain=[WORKGROUP] OS=[Unix] Server=[Samba 3.5.8] Server not using user level security and no password supplied. Server requested LANMAN password (share-level security) but 'client lanman auth' is disabled --- TAKAHASHI Motonobu mo...@samba.gr.jp -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba authentication problem
In further testing, changing security to user gets authentication working. Does anyone know why the Samba team removed the possibility to authenticate with share based security? I would find it very usefull to be able to see the shares and then authenticate when connecting to one. Also, the help file (from swat) needs to be correctede to reflect this. The sections on security in the help file still states Instead, the clients send authentication information (passwords) on a per-share basis, at the time they attempt to connect to that share which apparently no longer works. On 03/24/2011 01:00 PM, Xamindar wrote: Hi, I have asked around in other forums but no one seems to know why this doesn't work. I have a backup server with samba on it and am trying to set it up to only allow write access when a user authenticates but to allow reading from anyone (guest). At this time I have guest disabled and a minimal config set up as shown below to try to narrow down the problem. I have added the user xamindar using smbpasswd on the server. I then tried to mount the backup share from another machine with the following command: mount -t cifs //chiroru/backup /mnt/temp -o username=xamindar But I keep getting the following response: mount error(13): Permission denied Refer to the mount.cifs(8) manual page (e.g. man mount.cifs) Can anyone tell me what I am doing wrong here? I am sure I have missed something. It is possible to authenticate per share with share level security is it not? I just can't get authentication to work no matter what I have tried on this machine. With guest enabled it will just use the guest account and that works fine. Thanks for any help, I am pulling my hair out here. ***smb.conf*** [global] server string = Backup and Multimedia server security = SHARE smb passwd file = /etc/samba/private/passdb.tdb load printers = No disable spoolss = Yes show add printer wizard = No write list = xamindar printing = bsd print command = lpr -r -P'%p' %s lpq command = lpq -P'%p' lprm command = lprm -P'%p' %j map hidden = Yes map system = Yes [backup] path = /mnt/user/backup ** -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba authentication problem
On Thu, Mar 24, 2011 at 03:14:54PM -0700, Xamindar wrote: In further testing, changing security to user gets authentication working. Does anyone know why the Samba team removed the possibility to authenticate with share based security? I would find it very usefull to be able to see the shares and then authenticate when connecting to one. Also, the help file (from swat) needs to be correctede to reflect this. The sections on security in the help file still states Instead, the clients send authentication information (passwords) on a per-share basis, at the time they attempt to connect to that share which apparently no longer works. No, share level security, warts and all, still exists and works in 3.5.8. Jeremy. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba authentication problem
That is the version of samba that I am running, but it does not work. This is an Arch system and I doubt they would have changed it. On 03/24/2011 03:16 PM, Jeremy Allison wrote: No, share level security, warts and all, still exists and works in 3.5.8. Jeremy. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba authentication problem
On Thu, Mar 24, 2011 at 01:00:51PM -0700, Xamindar wrote: Hi, I have asked around in other forums but no one seems to know why this doesn't work. I have a backup server with samba on it and am trying to set it up to only allow write access when a user authenticates but to allow reading from anyone (guest). At this time I have guest disabled and a minimal config set up as shown below to try to narrow down the problem. I have added the user xamindar using smbpasswd on the server. I then tried to mount the backup share from another machine with the following command: mount -t cifs //chiroru/backup /mnt/temp -o username=xamindar But I keep getting the following response: mount error(13): Permission denied Refer to the mount.cifs(8) manual page (e.g. man mount.cifs) Can anyone tell me what I am doing wrong here? I am sure I have missed something. It is possible to authenticate per share with share level security is it not? I just can't get authentication to work no matter what I have tried on this machine. With guest enabled it will just use the guest account and that works fine. Thanks for any help, I am pulling my hair out here. Share level security doesn't automatically mean no password. Either use the password for user xamindar, or add map to guest = Bad Password in the [global] section of your smb.conf. See the smb.conf man page for details. Jeremy. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba authentication problem
On 03/24/2011 03:33 PM, Jeremy Allison wrote: Share level security doesn't automatically mean no password. Either use the password for user xamindar, or add Like I stated in the first post, it is not accepting the password for xamindar. It spits back that it is wrong and in the logs I see create_connection_server_info failed: NT_STATUS_WRONG_PASSWORD. The password is correct. It works fine with security set to user. I have tested with the mount command in linux and with a Vista machine, neither are able to connect. map to guest = Bad Password When this is set it will ALWAYS connect as guest because it is not accepting any valid passwords. in the [global] section of your smb.conf. See the smb.conf man page for details. Thanks for the recommendations. Jeremy. Am I missing something vital when security is set to share? -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba authentication problem
On Thu, Mar 24, 2011 at 03:44:51PM -0700, Xamindar wrote: On 03/24/2011 03:33 PM, Jeremy Allison wrote: Share level security doesn't automatically mean no password. Either use the password for user xamindar, or add Like I stated in the first post, it is not accepting the password for xamindar. It spits back that it is wrong and in the logs I see create_connection_server_info failed: NT_STATUS_WRONG_PASSWORD. The password is correct. It works fine with security set to user. I have tested with the mount command in linux and with a Vista machine, neither are able to connect. map to guest = Bad Password When this is set it will ALWAYS connect as guest because it is not accepting any valid passwords. in the [global] section of your smb.conf. See the smb.conf man page for details. Thanks for the recommendations. Jeremy. Am I missing something vital when security is set to share? Sounds like a bug in your version of the cifsfs kernel module. With security=share try connecting with the same password using smbclient. If it correctly connects then it's cifsfs screwing up somehow. Jeremy. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba authentication problem
On 03/24/2011 03:55 PM, Jeremy Allison wrote: On Thu, Mar 24, 2011 at 03:44:51PM -0700, Xamindar wrote: On 03/24/2011 03:33 PM, Jeremy Allison wrote: Share level security doesn't automatically mean no password. Either use the password for user xamindar, or add Like I stated in the first post, it is not accepting the password for xamindar. It spits back that it is wrong and in the logs I see create_connection_server_info failed: NT_STATUS_WRONG_PASSWORD. The password is correct. It works fine with security set to user. I have tested with the mount command in linux and with a Vista machine, neither are able to connect. map to guest = Bad Password When this is set it will ALWAYS connect as guest because it is not accepting any valid passwords. in the [global] section of your smb.conf. See the smb.conf man page for details. Thanks for the recommendations. Jeremy. Am I missing something vital when security is set to share? Sounds like a bug in your version of the cifsfs kernel module. With security=share try connecting with the same password using smbclient. If it correctly connects then it's cifsfs screwing up somehow. Jeremy. It still rejects it with this messege: # smbclient //172.16.0.7/backup -U xamindar Enter xamindar's password: Domain=[RADNIMAX] OS=[Unix] Server=[Samba 3.5.8] Server not using user level security and no password supplied. Server requested LANMAN password (share-level security) but 'client lanman auth' is disabled tree connect failed: NT_STATUS_ACCESS_DENIED I did type the password even though it is saying no password is supplied. I tried enabling 'client lanman auth' and restarting the server but I still get the same message when trying to connect. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba Authentication - User ID Pass-Thru?
SNIP Now the issue I'm having may not have a workaround, but I'm just looking for ideas. When users on the client (any computer on the network) write a file to the server that they see, it is in turn writing back to the Samba share on the file server. Thus, no matter who writes the file, it's written to the actual filesystem as the user by which the gateway mounts the share on the file server. Can anybody think of any way to pass along the user ID up the chain so that it's written to the filesystem as the originating user? Long and short of it no. This can also cause some serious other problems. Don't know why you want to do this, but here's a solution. (Using LDAP backend would make this spiffy, but this should be ok) On the server where stuff actually rights, share that as an NFS share and mount it on the Gateway server. Then share the nfs mount point via samba. The LDAP part comes in because you can have both servers using ldap for users and groups and keep your permissions and UID/GID stuff global. I can make sure the user accounts line up on the two servers, that's no big deal. I'm just wondering if it's possible. It's not a showstopper for me if everything gets written as the same user, I can deal with that. (Although I am having issues with create masks and group writability, but that's for another time.) I'm just tossing the question out to the group to see if it's anything that's been dealt with before or anything interesting enough to warrant discussion/collaboration. The answer might even be to use something other than Samba between the gateway server and the file server. I'm certainly open to suggestions on that. The only other related technology with which I have any experience is NFS and I chose Samba over that simply for the stability and robustness in unexpected situations. It's been my experience in the past that NFS gets pretty unstable when the network connection drops and can hang a machine's shutdown procedures. This is to be avoided in this particular situation because, in the event of a power failure detected by the UPS, properly stopping the services and unmounting the filesystem cleanly are critical. The _only_ job of the file server on the back end is to protect the data. If anybody has any suggestions I'd really appreciate it. Thanks! -- Regards, David P. Donahue It's hard enough to live in a world where you grow old and die, why be disharmonious? - Jack Kerouac -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba Authentication with a windows password server
Hello Vishesh, Thank you for the reply. I'm not too familiar with the network, I've only been given access to the linux machine so I'm unsure if there's a machine / workgroup name conflict. It's something I shall have to investigate. Here is a copy of the current smb.conf file (I've modified the workgroup / domain): [global] #security = domain security = ads netbios name = WORKGROUP #realm = WORKGROUP realm = CORP.DOMAIN.COM preferred master = no password server = dc1.corp.domain.com workgroup = WORKGROUP idmap uid = 5000-1000 idmap gid = 5000-1000 winbind separator = + #winbind enum users = no #winbind enum groups = no #winbind use default domain = yes template homedir = /home/%d/%u template shell = /bin/bash #client use spnego = yes #domain master = no ; server string = samba 3.2.3 # encrypt passwords = yes ; guest ok = yes ; guest account = nobody # os level = 128 Thanks again. vishesh kumar wrote: Dear wispa does machine name or workgroup name collide in your network. Send smb.conf configuration for detail analysis thanks -- View this message in context: http://www.nabble.com/Samba-Authentication-with-a-windows-password-server-tp25752970p25782978.html Sent from the Samba - General mailing list archive at Nabble.com. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba Authentication with a windows password server
Dear wispa does machine name or workgroup name collide in your network. Send smb.conf configuration for detail analysis thanks On Mon, Oct 5, 2009 at 9:03 PM, wispa oliver.s...@googlemail.com wrote: Hi all, I'm trying to set up Samba on a client's computer so that it authenticates the users which are accessing it via a windows domain controller and kerberos. I've been following various tutorials and it all seems to go through correctly but when the client tries to access the shares, it doesn't accept his credentials and won't get past the login window. The only failure seems to be within the nmbd log which says this (I've changed the domain name / IPs): [2009/10/05 16:27:43, 0] nmbd/nmbd_nameregister.c:register_name_response(129) register_name_response: server at IP 192.168.1.122 rejected our name registration of DOMAIN00 IP 192.168.1.120 with error code 6. [2009/10/05 16:27:43, 0] nmbd/nmbd_mynames.c:my_name_register_failed(35) my_name_register_failed: Failed to register my name DOMAIN00 on subnet 192.168.1.120. Now the odd thing is that 192.168.1.120 is the samba machine but 192.168.1.120 is a proxy server and doesn't seem to be referenced anywhere. Could this be a result of the windows machines not being set up correctly or would this be something incorrectly set up on the linux machine? I can't seem to figure it out. Many thanks. Oliver -- View this message in context: http://www.nabble.com/Samba-Authentication-with-a-windows-password-server-tp25752970p25752970.html Sent from the Samba - General mailing list archive at Nabble.com. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- http://linuxinterviews.blogspot.com -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] samba authentication via pam_pwdfile
On Mon, 2009-09-28 at 18:37 -0400, Charles Yost wrote: I'm attempting to setup samba authentication via PAM and more specifically the pam_pwdfile module. So far I have had trouble determining the right mix of global settings to get this to work. I have read through many tutorials online, but so far I have not found good documentation on how to achieve this. Because it doesn't work; at least not without hacking every Windows client. [Does that even still work anymore? I don't know, it really is not a reasonable/maintainable thing to do]. You need to either setup an LDAP DSA and use that for authentication and have Samba use that too (as a DC). Or setup Samba as a NT4 PDC and use that for authentication. PAM is, practically speaking, a lost cause for Windows clients - for technical/implementation reasons it can't work well. -- OpenGroupware developer: awill...@whitemice.org http://whitemiceconsulting.blogspot.com/ OpenGroupare Cyrus IMAPd documenation @ http://docs.opengroupware.org/Members/whitemice/wmogag/file_view signature.asc Description: This is a digitally signed message part -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] samba authentication via pam_pwdfile
On Sep 29, 2009, at 6:47 AM, Adam Tauno Williams wrote: Because it doesn't work; at least not without hacking every Windows client. [Does that even still work anymore? I don't know, it really is not a reasonable/maintainable thing to do]. You need to either setup an LDAP DSA and use that for authentication and have Samba use that too (as a DC). Or setup Samba as a NT4 PDC and use that for authentication. PAM is, practically speaking, a lost cause for Windows clients - for technical/implementation reasons it can't work well. I apologize, I suppose I left some details out. I am not trying to setup a domain, or even share printers. All that I am looking to accomplish with my samba implementation is sharing a couple of directories on the server to a few independent windows machines. I don't need users to authenticate across a domain, just to be able to have access to the shares based on username restrictions. I can get this working just fine using the smbpasswd file, but I am trying to unify the passwords used for several services. I am sure it can be done because there is a whole chapter in the samba documentation on using PAM with winbind on a samba machine when you need to authenticate to an existing domain. =Charles -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba authentication against Linux-based Kerberos
David Markey wrote: Otherwise you could do some pam hackery, perhaps stacking pam_winbind and pam_krb5 for password changing. You would have to do this on all the nodes on your network. and for the windows side of things you could write a password change script, which would be called by samba on a password change. Thanks David! Heimdal Kerberos is - in our case - no solution, as we're using MIT Kerberos. So it's either some pam hackery (in which case the distribution of the changes would pose no problems as all of our nodes are configured centrally via cfengine) or we'll leave it the way it is (advising users to change their passwords twice). I'll have a look at it and see if I've got the time to dig deeper into this topic. If anybody has ever done such a thing - don't be shy and share your knowledge! Cheers, Robert -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba authentication against Linux-based Kerberos
Use the popular heimdal, openldap + smbk5pwd, samba3 combo This will keep samba/ldap/kerberos passwords in sync no matter how or where the password is changed. Otherwise you could do some pam hackery, perhaps stacking pam_winbind and pam_krb5 for password changing. You would have to do this on all the nodes on your network. and for the windows side of things you could write a password change script, which would be called by samba on a password change. On Tue, 01 Sep 2009 16:48:01 +0200, Robert Markula robert.mark...@gmx.net wrote: Hi, please consider the following situation in a heterogenous, Windows Server-less network, where users use both Windows and Linux: - On Windows users authenticate against a Samba 3.3.2 PDC with tdbsam backend. - On Linux users authenticate against a combination of OpenLDAP and Kerberos. This, of course, brings up the old problem that users have to synchronise their passwords manually for both Windows and Linux. The ideal solution would be that Samba would just support authentication against Linux-based Kerberos, but (correct me if I'm wrong) that doesn't seem possible with Samba3. Is there anything else that can be done? So if users on Windows can't use Linux-based Kerberos for SSO, maybe there is at least a way for users to change their passwords on one OS and get it automatically synced for the other (i.e. if a user changes his password on a Windows machine it gets automatically changed for his Linux account as well and vice versa)? Cheers, Robert -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba authentication
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Have you tried putting the following line in the [global] section of your smb.conf file? client ntlmv2 auth = yes Lukas Hejtmanek wrote: Hello, I wonder whether there is a way to authenticate samba against NTLM2 enabled radius server without using encrypt passwords = no. I really have no other option than this. My situation is as follows. I have an organization that runs Microsoft Windows Server 2003 which is used as AD. This AD shares passwords with many information systems in our organisation and I would like to use these passwords also for samba users. Administrators of AD disagree to add my samba server to their AD. No way here. They agree to export LDAP (without passwords), Kerberos or Radius and possibly other services but not AD itself. Is there a way to authenticate my samba against their authentication service? If there is no way per-se, would it be possible to modify windbindd to authenticate via NTLM2 against the Radius server instead of AD? - -- Robert Freeman-Day https://launchpad.net/~presgas GPG Public Key: http://keyserver.ubuntu.com:11371/pks/lookup?op=getsearch=0xBA9DF9ED3E4C7D36 -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iEYEARECAAYFAkqLDf8ACgkQup357T5MfTZPcQCfcOCy3tfJlr93q/0UyfDXwbP1 fk0An37iciENH9n71ovr0GqbnhYGcJn3 =u/SN -END PGP SIGNATURE- -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba authentication
On Tue, Aug 18, 2009 at 04:24:31PM -0400, Robert Freeman-Day wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Have you tried putting the following line in the [global] section of your smb.conf file? client ntlmv2 auth = yes and what should I put there if I want to authenticate with radius server and not with ADS? -- Lukáš Hejtmánek -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] samba authentication PAM/LDAP
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 vishesh kumar wrote: Does NT hashes require even if we use kerberos for authentication?. I don't understand the context of this question. A Samba 3 DC does not support kerb5 auth. So you can only use the NTLM authentication (which requires the NT hash). A domain member server just uses the DC for authemtication and so this question does seem to apply. Did I miss something? cheers, jerry - -- = Samba--- http://www.samba.org Likewise Software - http://www.likewisesoftware.com What man is a man who does not make the world better? --Balian -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.2.2 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFJIs5GIR7qMdg1EfYRAnIIAJ4kNyXBd5zt5pEJ3h42uRnV71aDggCffAfs vVy0SQF5XGYce0+ngJZtqJ4= =/Fku -END PGP SIGNATURE- -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] samba authentication PAM/LDAP
On Thu, Nov 13, 2008 at 4:22 AM, Volker Lendecke [EMAIL PROTECTED]wrote: On Wed, Nov 12, 2008 at 03:41:12PM -0700, Christian McHugh wrote: On Wed, Nov 12, 2008 at 03:53:51PM -0500, Lenny Shovsky wrote: Can Samba authenticate directly ( through pam_ldap ? ) via LDAP, which only has Unix uids password hashes ? Thank you. No. You need to store the NT hashes somewhere, either in LDAP or in another passdb backend. What about the nss winbind backend? Couldn't you setup nss_ldap and pam_ldap, and still run a samba server with the nss winbind backend? Sure. But someone in the end must have the NT hashes. In the case of winbind it's a domain controller. Volker -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba dear all Does NT hashes require even if we use kerberos for authentication?. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] samba authentication PAM/LDAP
On Wed, Nov 12, 2008 at 03:53:51PM -0500, Lenny Shovsky wrote: Can Samba authenticate directly ( through pam_ldap ? ) via LDAP, which only has Unix uids password hashes ? Thank you. No. You need to store the NT hashes somewhere, either in LDAP or in another passdb backend. Volker pgpkGAbCyRdIG.pgp Description: PGP signature -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] samba authentication PAM/LDAP
On Wed, Nov 12, 2008 at 03:53:51PM -0500, Lenny Shovsky wrote: Can Samba authenticate directly ( through pam_ldap ? ) via LDAP, which only has Unix uids password hashes ? Thank you. No. You need to store the NT hashes somewhere, either in LDAP or in another passdb backend. What about the nss winbind backend? Couldn't you setup nss_ldap and pam_ldap, and still run a samba server with the nss winbind backend? If anyone has any tips for doing this I'd really like to know. Thanks, Christian McHugh -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] samba authentication PAM/LDAP
On Wed, Nov 12, 2008 at 03:41:12PM -0700, Christian McHugh wrote: On Wed, Nov 12, 2008 at 03:53:51PM -0500, Lenny Shovsky wrote: Can Samba authenticate directly ( through pam_ldap ? ) via LDAP, which only has Unix uids password hashes ? Thank you. No. You need to store the NT hashes somewhere, either in LDAP or in another passdb backend. What about the nss winbind backend? Couldn't you setup nss_ldap and pam_ldap, and still run a samba server with the nss winbind backend? Sure. But someone in the end must have the NT hashes. In the case of winbind it's a domain controller. Volker pgph8M1dD8659.pgp Description: PGP signature -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
RE: [Samba] Samba authentication using ADS
Try this: http://wiki.samba.org/index.php/Samba__Active_Directory -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] ] On Behalf Of Prashanth Adiyodi Sent: Wednesday, October 01, 2008 7:42 AM To: samba@lists.samba.org Subject: [Samba] Samba authentication using ADS Greetings I need help in setting up my linux box with ADS authentication on Samba. I know that it can be done using winbind and Kerberos. I tried some of the online methods but I am not able to get a result. Request you to please help me with this. These are the steps I followed to setup winbind * Using Authconfig command I put in the relavant details like Use Winbind and Use Winbind Authentication and left Cache Information, Use MD5 Passwords and Use Shadow Passwords selected * Then I put details about the domain with authentication. * I placed entries in /etc/nssswitch as passwd: files winbind shadow: files winbind group: files winbind This is the output I get [2008/10/01 18:27:56, 0] libads/kerberos.c:ads_kinit_password(146) kerberos_kinit_password [EMAIL PROTECTED] failed: Cannot find KDC for requested realm [2008/10/01 18:27:56, 0] utils/net_ads.c:ads_startup(186) ads_connect: Cannot find KDC for requested realm [2008/10/01 18:27:56, 0] rpc_client/cli_pipe.c:cli_nt_session_open(1451) cli_nt_session_open: cli_nt_create failed on pipe \lsarpc to machine ads.example.com. Error was NT_STATUS_ACCESS_DENIED could not initialise lsa pipe could not obtain sid for domain Shutting down Winbind services:[FAILED] Starting Winbind services: [ OK ] Please help me as to what is going wrong. Appreciate if any members could help me out in configuring using Kerberos. Here also I edited the krb5.conf, krb.conf and krb.realm with the correct parameters but stll am not able to get a solution. Thanking you Prashanth Adiyodi System Administrator Roamware (I) Pvt. Ltd. 7th Floor, Sigma, Hiranandani Gardens Technology Street, Powai, Mumbai-400 076 Tel: 40406000 Ext: 6124 GSM: 91-9833377712 www.roamware.com http://www.roamware.com The information contained herein may include confidential or privileged information and is intended solely for the recipient(s) noted above. If you receive this e-mail in error, please respond to the sender and delete the e-mail. Any dissemination of this e-mail or the information contained in this e-mail or attachments to unintended parties is prohibited. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Samba authentication to AD server
On Wed, Jul 16, 2008 at 12:59:36PM -0400, Gman wrote: Greetings all; I currently have a task to put together a SAMBA (3.2) server that can authenticate users to our local AD server. I was told recently that in order for that to happen, the authentication needs to be in mixed mode vice native (whatever that means), or it won't work. Can someone a bit more knowledgable than I confirm or deny this statement, or point me at documents that explain the difference? Thanks in advance. If the Samba server is merely a member of the AD domain, then no, you don't need to have the AD domain in mixed mode. It will work just fine with native mode. If the Samba server is a PDC and you need it to have trusts with the AD domain, then yes, the AD domain must be in mixed mode. Hope that helps, Jeremy. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Samba authentication to AD server
On Wed, Jul 16, 2008 at 01:19:17PM -0700, Jeremy Allison wrote: On Wed, Jul 16, 2008 at 12:59:36PM -0400, Gman wrote: Greetings all; I currently have a task to put together a SAMBA (3.2) server that can authenticate users to our local AD server. I was told recently that in order for that to happen, the authentication needs to be in mixed mode vice native (whatever that means), or it won't work. Can someone a bit more knowledgable than I confirm or deny this statement, or point me at documents that explain the difference? Thanks in advance. If the Samba server is merely a member of the AD domain, then no, you don't need to have the AD domain in mixed mode. It will work just fine with native mode. If the Samba server is a PDC and you need it to have trusts with the AD domain, then yes, the AD domain must be in mixed mode. Sorry, that's wrong. The only thing that native mode prevents is a NT4 BDC, so old-style net rpc vampire won't work anymore. Trusts should work. If they don't, please file a bug. Volker pgp72mXIdcKB4.pgp Description: PGP signature -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Samba authentication to AD server
On Wed, Jul 16, 2008 at 10:28:49PM +0200, Volker Lendecke wrote: Sorry, that's wrong. The only thing that native mode prevents is a NT4 BDC, so old-style net rpc vampire won't work anymore. Trusts should work. If they don't, please file a bug. Ah, thanks Volker. Thanks for the correction ! It's been a while since I had to set this up in production :-). Jeremy. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] samba authentication awfully slow
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Henning Evers wrote: Hey there everybody. I am new to the list, so bear with me if make mistakes :) I updated my Server from FC7 to FC9 and with it came Samba 3.2.0pre3-9.fc9 (heaven knows why it had to be a pre version). I reused my old config and noticed that displaying all hosts in my workgroup as well as authentication went from normal to awfully slow. Once the connection is established it is bearable, though ropy. smbclient -L samsara //from an Ubuntu 8.04 in the same network smbclient -L localhost //from the server itself results in: Receiving SMB: Server stopped responding session setup failed: Call timed out: server did not respond after 2 milliseconds I have been reading a lot about it, i found others with the same problems, but i have not found a solution. I am so out of ideas here... I hope someone just says easy dude - its only ... Thanks in advance, Henning p.s.: Here's my testconfig, for what its worth it... [global] workgroup = SKYNET security = USER smb passwd file = /etc/samba/smbpasswd private dir = /etc/samba [Plans] path = /export/samba read only = Yes guest ok = Yes It does not sound like this could be the cause of the problem, based on the fact that it just suddenly showed up on an update, but how many lines are in your smbpasswd file? It may be that you'll see substantial speed gains regardless moving that file to tdbsam, which is easily done with pdbedit -i and -e. HTH, - -- _ _ _ _ ___ _ _ _ |Y#| | | |\/| | \ |\ | | |Ryan Novosielski - Systems Programmer II |$| |__| | | |__/ | \| _| |[EMAIL PROTECTED] - 973/972.0922 (2-0922) \__/ Univ. of Med. and Dent.|IST/AST - NJMS Medical Science Bldg - C630 -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.6 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFINw6Xmb+gadEcsb4RAi9QAKCUZiDoiQGKKlEpNVZR+sHpBaBmEQCfUftZ 30BeqZqvjB9F6hVgADJppng= =ljNO -END PGP SIGNATURE- -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Samba authentication to Kerberos via OpenLDAP, third and last try
On Thu 3 Apr 2008 5:00:36 pm Wes Modes wrote: Volker Lendecke wrote: On Thu, Apr 03, 2008 at 01:34:30PM -0700, Wes Modes wrote: The question and the challenge: Any leads on how I might convince Samba to pass the input password on to OpenLDAP so that OpenLDAP can authenticate it against Kerberos? The only chance is that you modify each client's registry to send plain text passwords to the server over the network, downgrading your security to what telnet provided ages ago. You can guess that this is ABSOLUTELY NOT recommended. If you go with standard Windows authentication schemes, the SMB server never sees the user's plain text password which would be required to authenticate against Kerberos. Volker Yeah, I'm not so keen on sending plaintext passwords anywhere. It is already moderately-well documented how to connect Samba up to use Kerberos authentication. And my guess is that the Kerberos model would not allow passwords to be sent plaintext. More likely an encrypted hash gets passed? I don't know the precise mechanism, but would like to. But beyond that, how could one use Samba to pass that encrypted password to LDAP to pass on to Kerberos to authenticate? Note: this is from my experience and research, both of which are extensive but probably wrong. I wanted to do a similar thing (poor-man's SSO). I believe the problem is twofold: 1) The client never actually sends the password. By default, it sends a response to a challenge from the server; the response is based on the password. So the password, in any form, never traverses the network unless you explicitly turn on that compatibility model. Samba can't forward what it doesn't have. 2) Using LDAP for authentication is...a hack, to put it bluntly. Everybody does it, but we probably shouldn't. The problem is that in either authentication scenario (bind against LDAP = Good! or query the tree for user/pw/group/etc) would require modifications to the LDAP server. It could accept the password, request a certificate and then store the token and return the Correct answer if the token is good and intentionally return an incorrect answer if the Kerb auth fails. Since you can't send passwords in plaintext for obvious reasons, a simple or complex way to do this escapes me. I assume that you're not doing domain logins. You could write a web interface or quick Java craplet (or a keylogger...) that takes a login from the user and captures their password. Then you can feed that to a process on the LDAP server which authenticates against kerberos; if the authentication succeeds, you dump the hashed/crypted version of the password into the LDAP directory for authentication use later. Convoluted, but you could make it work. Wes -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Samba authentication to Kerberos via OpenLDAP, third and last try
On Thu, Apr 03, 2008 at 01:34:30PM -0700, Wes Modes wrote: The question and the challenge: Any leads on how I might convince Samba to pass the input password on to OpenLDAP so that OpenLDAP can authenticate it against Kerberos? The only chance is that you modify each client's registry to send plain text passwords to the server over the network, downgrading your security to what telnet provided ages ago. You can guess that this is ABSOLUTELY NOT recommended. If you go with standard Windows authentication schemes, the SMB server never sees the user's plain text password which would be required to authenticate against Kerberos. Volker pgpSq2xFwlWvo.pgp Description: PGP signature -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Samba authentication to Kerberos via OpenLDAP, third and last try
On Thu, Apr 03, 2008 at 02:00:36PM -0700, Wes Modes wrote: It is already moderately-well documented how to connect Samba up to use Kerberos authentication. And my guess is that the Kerberos model would not allow passwords to be sent plaintext. More likely an encrypted hash gets passed? I don't know the precise mechanism, but would like to. http://davenport.sourceforge.net/ntlm.html Enjoy. Volker pgpHv41tjZXZt.pgp Description: PGP signature -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Samba authentication to Kerberos via OpenLDAP, third and last try
Volker Lendecke wrote: On Thu, Apr 03, 2008 at 01:34:30PM -0700, Wes Modes wrote: The question and the challenge: Any leads on how I might convince Samba to pass the input password on to OpenLDAP so that OpenLDAP can authenticate it against Kerberos? The only chance is that you modify each client's registry to send plain text passwords to the server over the network, downgrading your security to what telnet provided ages ago. You can guess that this is ABSOLUTELY NOT recommended. If you go with standard Windows authentication schemes, the SMB server never sees the user's plain text password which would be required to authenticate against Kerberos. Volker Yeah, I'm not so keen on sending plaintext passwords anywhere. It is already moderately-well documented how to connect Samba up to use Kerberos authentication. And my guess is that the Kerberos model would not allow passwords to be sent plaintext. More likely an encrypted hash gets passed? I don't know the precise mechanism, but would like to. But beyond that, how could one use Samba to pass that encrypted password to LDAP to pass on to Kerberos to authenticate? W. -- Wes Modes Server Administrator Programmer Analyst McHenry Library Computing Network Services Information and Technology Services 459-5208 -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: Re: [Samba] SAMBA authentication ?
That's it! public need to be set as no Thanks for your help. Wiadomość Oryginalna Od: Sadique Puthen [EMAIL PROTECTED] Do: czezz [EMAIL PROTECTED] Kopia do: John Drescher [EMAIL PROTECTED], samba@lists.samba.org Data: 4 lutego 2008 12:38 Temat: Re: [Samba] SAMBA authentication ? czezz wrote: smb.conf attached. security is set to SHARE. Otherwise I will not be able to have /pub which is accessable for everyone. From man smb.conf public This parameter is a synonym for guest ok. guest ok (S) If this parameter is yes for a service, then no password is required to connect to the service. Privileges will be those of the guest account. This paramater nullifies the benifits of setting restrict anonymous = 2 See the section below on security for more information about this option. Default: guest ok = no So as long as you set public = Yes for share /pub2, you wouldn't be prompted for a username and password. The other option is to use security = user and set map to guest parameter for /pub share. --Sadique Thanks, Czezz Wiadomość Oryginalna Od: Sadique Puthen [EMAIL PROTECTED] Do: czezz [EMAIL PROTECTED] Kopia do: John Drescher [EMAIL PROTECTED], samba@lists.samba.org Data: 4 lutego 2008 8:37 Temat: Re: [Samba] SAMBA authentication ? czezz wrote: Wiadomość Oryginalna Od: John Drescher [EMAIL PROTECTED] Do: czezz [EMAIL PROTECTED] Kopia do: samba@lists.samba.org Data: 3 lutego 2008 19:59 Temat: Re: [Samba] SAMBA authentication ? On Feb 3, 2008 11:38 AM, czezz [EMAIL PROTECTED] wrote: I have set up samba and configured resources /pub for pcguest account and it works perfect (read/write access for for everyone. No authentication is needed) Now, I want to set new resource called /pub2 where access is limited only for user userx. What I did: I created userx in /etc/passwd and his home dir in /pub2 I created userx using smbpasswd Both users has this same passwd. In /etc/samba/smb.conf added: [pub2] path = /pub2 volume = userx comment = Programy userx public = yes writable = yes share modes = yes read only = no create mode = 0775 directory mode = 0775 oplocks = True level2 oplocks = True After SAMBA restart: sitting on WindowsXP box I am able to see /pub and /pub2 resources. I can even browse /pub2 but I am unable to create any file or dir. This is expected behavior... but why the heck I cant have way to log on to user userx account ? Did you check the unix permissions of the folder you are sharing? Does userx have rw permissions? John Ammm... John, whats the point of unix permissions? I can browse content of /pub2 from any workstation on LAN. The problem is that when I click on PUB2 resources I should get window to put login and password - why I dont have it ? Are you using security=share or user? Please post your smb.conf without comments. --Sadique here is ls [EMAIL PROTECTED]:~# ls -l /home/ drwxr-xr-x 3 pcguest pcguest 4096 2008-01-30 21:30 pub/ drwxr-xr-x 4 userx users4096 2008-02-02 18:33 pub2/ What is important !!! Windows Workstations from witch I try to login hasnt account userx. The Windows enviroment is only workgroup. And each station has its own login. Each time someone want to access /pub2 then window asking for login and passwd should apear. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: Re: [Samba] SAMBA authentication ?
smb.conf attached. security is set to SHARE. Otherwise I will not be able to have /pub which is accessable for everyone. Thanks, Czezz Wiadomość Oryginalna Od: Sadique Puthen [EMAIL PROTECTED] Do: czezz [EMAIL PROTECTED] Kopia do: John Drescher [EMAIL PROTECTED], samba@lists.samba.org Data: 4 lutego 2008 8:37 Temat: Re: [Samba] SAMBA authentication ? czezz wrote: Wiadomość Oryginalna Od: John Drescher [EMAIL PROTECTED] Do: czezz [EMAIL PROTECTED] Kopia do: samba@lists.samba.org Data: 3 lutego 2008 19:59 Temat: Re: [Samba] SAMBA authentication ? On Feb 3, 2008 11:38 AM, czezz [EMAIL PROTECTED] wrote: I have set up samba and configured resources /pub for pcguest account and it works perfect (read/write access for for everyone. No authentication is needed) Now, I want to set new resource called /pub2 where access is limited only for user userx. What I did: I created userx in /etc/passwd and his home dir in /pub2 I created userx using smbpasswd Both users has this same passwd. In /etc/samba/smb.conf added: [pub2] path = /pub2 volume = userx comment = Programy userx public = yes writable = yes share modes = yes read only = no create mode = 0775 directory mode = 0775 oplocks = True level2 oplocks = True After SAMBA restart: sitting on WindowsXP box I am able to see /pub and /pub2 resources. I can even browse /pub2 but I am unable to create any file or dir. This is expected behavior... but why the heck I cant have way to log on to user userx account ? Did you check the unix permissions of the folder you are sharing? Does userx have rw permissions? John Ammm... John, whats the point of unix permissions? I can browse content of /pub2 from any workstation on LAN. The problem is that when I click on PUB2 resources I should get window to put login and password - why I dont have it ? Are you using security=share or user? Please post your smb.conf without comments. --Sadique here is ls [EMAIL PROTECTED]:~# ls -l /home/ drwxr-xr-x 3 pcguest pcguest 4096 2008-01-30 21:30 pub/ drwxr-xr-x 4 userx users4096 2008-02-02 18:33 pub2/ What is important !!! Windows Workstations from witch I try to login hasnt account userx. The Windows enviroment is only workgroup. And each station has its own login. Each time someone want to access /pub2 then window asking for login and passwd should apear. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] SAMBA authentication ?
czezz wrote: smb.conf attached. security is set to SHARE. Otherwise I will not be able to have /pub which is accessable for everyone. From man smb.conf public This parameter is a synonym for guest ok. guest ok (S) If this parameter is yes for a service, then no password is required to connect to the service. Privileges will be those of the guest account. This paramater nullifies the benifits of setting restrict anonymous = 2 See the section below on security for more information about this option. Default: guest ok = no So as long as you set public = Yes for share /pub2, you wouldn't be prompted for a username and password. The other option is to use security = user and set map to guest parameter for /pub share. --Sadique Thanks, Czezz Wiadomość Oryginalna Od: Sadique Puthen [EMAIL PROTECTED] Do: czezz [EMAIL PROTECTED] Kopia do: John Drescher [EMAIL PROTECTED], samba@lists.samba.org Data: 4 lutego 2008 8:37 Temat: Re: [Samba] SAMBA authentication ? czezz wrote: Wiadomość Oryginalna Od: John Drescher [EMAIL PROTECTED] Do: czezz [EMAIL PROTECTED] Kopia do: samba@lists.samba.org Data: 3 lutego 2008 19:59 Temat: Re: [Samba] SAMBA authentication ? On Feb 3, 2008 11:38 AM, czezz [EMAIL PROTECTED] wrote: I have set up samba and configured resources /pub for pcguest account and it works perfect (read/write access for for everyone. No authentication is needed) Now, I want to set new resource called /pub2 where access is limited only for user userx. What I did: I created userx in /etc/passwd and his home dir in /pub2 I created userx using smbpasswd Both users has this same passwd. In /etc/samba/smb.conf added: [pub2] path = /pub2 volume = userx comment = Programy userx public = yes writable = yes share modes = yes read only = no create mode = 0775 directory mode = 0775 oplocks = True level2 oplocks = True After SAMBA restart: sitting on WindowsXP box I am able to see /pub and /pub2 resources. I can even browse /pub2 but I am unable to create any file or dir. This is expected behavior... but why the heck I cant have way to log on to user userx account ? Did you check the unix permissions of the folder you are sharing? Does userx have rw permissions? John Ammm... John, whats the point of unix permissions? I can browse content of /pub2 from any workstation on LAN. The problem is that when I click on PUB2 resources I should get window to put login and password - why I dont have it ? Are you using security=share or user? Please post your smb.conf without comments. --Sadique here is ls [EMAIL PROTECTED]:~# ls -l /home/ drwxr-xr-x 3 pcguest pcguest 4096 2008-01-30 21:30 pub/ drwxr-xr-x 4 userx users4096 2008-02-02 18:33 pub2/ What is important !!! Windows Workstations from witch I try to login hasnt account userx. The Windows enviroment is only workgroup. And each station has its own login. Each time someone want to access /pub2 then window asking for login and passwd should apear. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] SAMBA authentication ?
On Feb 4, 2008 5:48 PM, Charles Marcus [EMAIL PROTECTED] wrote: Please post your smb.conf without comments. Is there a command to generate this output? There probably is a better way but this is the first thing I can think of: grep -v ^# /etc/samba/smb.conf John -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] SAMBA authentication ?
John Drescher wrote: On Feb 4, 2008 5:48 PM, Charles Marcus [EMAIL PROTECTED] wrote: Please post your smb.conf without comments. Is there a command to generate this output? There probably is a better way but this is the first thing I can think of: grep -v ^# /etc/samba/smb.conf John This works pretty well: testparm -s ... as it is formatted in a readable way, even if the smb.conf is messy. Or you can do it this way: grep -v '^[ \t]*[#;]\|^[ \t]*$' /etc/samba/smb.conf ... so you also remove blank lines as well as comments (both # and ;), even with leading whitespace. -- Brian High -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] SAMBA authentication ?
Please post your smb.conf without comments. Is there a command to generate this output? -- Best regards, Charles -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] SAMBA authentication ?
Charles Marcus wrote: Please post your smb.conf without comments. Is there a command to generate this output? #testparm -s /tmp/smb.conf Attach the /tmp/smb.conf. --Sadique -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] SAMBA authentication ?
On Feb 3, 2008 11:38 AM, czezz [EMAIL PROTECTED] wrote: I have set up samba and configured resources /pub for pcguest account and it works perfect (read/write access for for everyone. No authentication is needed) Now, I want to set new resource called /pub2 where access is limited only for user userx. What I did: I created userx in /etc/passwd and his home dir in /pub2 I created userx using smbpasswd Both users has this same passwd. In /etc/samba/smb.conf added: [pub2] path = /pub2 volume = userx comment = Programy userx public = yes writable = yes share modes = yes read only = no create mode = 0775 directory mode = 0775 oplocks = True level2 oplocks = True After SAMBA restart: sitting on WindowsXP box I am able to see /pub and /pub2 resources. I can even browse /pub2 but I am unable to create any file or dir. This is expected behavior... but why the heck I cant have way to log on to user userx account ? Did you check the unix permissions of the folder you are sharing? Does userx have rw permissions? John -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: Re: [Samba] SAMBA authentication ?
Wiadomość Oryginalna Od: John Drescher [EMAIL PROTECTED] Do: czezz [EMAIL PROTECTED] Kopia do: samba@lists.samba.org Data: 3 lutego 2008 19:59 Temat: Re: [Samba] SAMBA authentication ? On Feb 3, 2008 11:38 AM, czezz [EMAIL PROTECTED] wrote: I have set up samba and configured resources /pub for pcguest account and it works perfect (read/write access for for everyone. No authentication is needed) Now, I want to set new resource called /pub2 where access is limited only for user userx. What I did: I created userx in /etc/passwd and his home dir in /pub2 I created userx using smbpasswd Both users has this same passwd. In /etc/samba/smb.conf added: [pub2] path = /pub2 volume = userx comment = Programy userx public = yes writable = yes share modes = yes read only = no create mode = 0775 directory mode = 0775 oplocks = True level2 oplocks = True After SAMBA restart: sitting on WindowsXP box I am able to see /pub and /pub2 resources. I can even browse /pub2 but I am unable to create any file or dir. This is expected behavior... but why the heck I cant have way to log on to user userx account ? Did you check the unix permissions of the folder you are sharing? Does userx have rw permissions? John Ammm... John, whats the point of unix permissions? I can browse content of /pub2 from any workstation on LAN. The problem is that when I click on PUB2 resources I should get window to put login and password - why I dont have it ? here is ls [EMAIL PROTECTED]:~# ls -l /home/ drwxr-xr-x 3 pcguest pcguest 4096 2008-01-30 21:30 pub/ drwxr-xr-x 4 userx users4096 2008-02-02 18:33 pub2/ What is important !!! Windows Workstations from witch I try to login hasnt account userx. The Windows enviroment is only workgroup. And each station has its own login. Each time someone want to access /pub2 then window asking for login and passwd should apear. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: Re: [Samba] SAMBA authentication ?
Ammm... John, whats the point of unix permissions? If the unix user has no access to the share on the unix filesystem. Samba will not have any access either. I can browse content of /pub2 from any workstation on LAN. The problem is that when I click on PUB2 resources I should get window to put login and password - why I dont have it ? here is ls [EMAIL PROTECTED]:~# ls -l /home/ drwxr-xr-x 3 pcguest pcguest 4096 2008-01-30 21:30 pub/ drwxr-xr-x 4 userx users4096 2008-02-02 18:33 pub2/ This looks fine. What is important !!! Windows Workstations from witch I try to login hasnt account userx. The Windows enviroment is only workgroup. And each station has its own login. Each time someone want to access /pub2 then window asking for login and passwd should apear. Can you post your smb.conf? John -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] SAMBA authentication ?
czezz wrote: Wiadomość Oryginalna Od: John Drescher [EMAIL PROTECTED] Do: czezz [EMAIL PROTECTED] Kopia do: samba@lists.samba.org Data: 3 lutego 2008 19:59 Temat: Re: [Samba] SAMBA authentication ? On Feb 3, 2008 11:38 AM, czezz [EMAIL PROTECTED] wrote: I have set up samba and configured resources /pub for pcguest account and it works perfect (read/write access for for everyone. No authentication is needed) Now, I want to set new resource called /pub2 where access is limited only for user userx. What I did: I created userx in /etc/passwd and his home dir in /pub2 I created userx using smbpasswd Both users has this same passwd. In /etc/samba/smb.conf added: [pub2] path = /pub2 volume = userx comment = Programy userx public = yes writable = yes share modes = yes read only = no create mode = 0775 directory mode = 0775 oplocks = True level2 oplocks = True After SAMBA restart: sitting on WindowsXP box I am able to see /pub and /pub2 resources. I can even browse /pub2 but I am unable to create any file or dir. This is expected behavior... but why the heck I cant have way to log on to user userx account ? Did you check the unix permissions of the folder you are sharing? Does userx have rw permissions? John Ammm... John, whats the point of unix permissions? I can browse content of /pub2 from any workstation on LAN. The problem is that when I click on PUB2 resources I should get window to put login and password - why I dont have it ? Are you using security=share or user? Please post your smb.conf without comments. --Sadique here is ls [EMAIL PROTECTED]:~# ls -l /home/ drwxr-xr-x 3 pcguest pcguest 4096 2008-01-30 21:30 pub/ drwxr-xr-x 4 userx users4096 2008-02-02 18:33 pub2/ What is important !!! Windows Workstations from witch I try to login hasnt account userx. The Windows enviroment is only workgroup. And each station has its own login. Each time someone want to access /pub2 then window asking for login and passwd should apear. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Samba Authentication against Radius server
I have my linux system configured to authenticate/authorize (windows XP and Vista) users for several services, like PPTP, SMTP and POP3, against a radius server (using PAM), and now I want to add support for samba authentication also. I was planning to do it by using one tdbsam backend (I can not have LDAP for several reasons, unfortunately) but I have some doubts: Is it possible to authenticate samba users directly against the radius server (is there a way to do it)? You can, but you basically have to break things to do it (enabling clear text passwords). You'd configure PAM to authenticate against RADIUS and configure Samba to use the traditional password database - but don't. Reconfigure your RADIUS server to authenticate users via Samba; not the other way around. For tdbsam is there any solution to keep passwords sync with radius server? There is a password sync feature in Samba. Updating Samba from RADIUS password changes would be another matter. But better to reconfigure your RADIUS server to use Samba for authentication, thus keeping one password database. -- Adam Tauno Williams, Network Systems Administrator Consultant - http://www.whitemiceconsulting.com Developer - http://www.opengroupware.org -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Samba authentication slow after upgrade to Samba 3
This is really frustrating me - I cannot seem to resolve the problem. Some users can connect no problem and others take a long time. The users that take a long time leave lots of entries in the messages file: Jun 5 13:00:33 dfgsrv2 smbd[9148]: [2007/06/05 13:00:33, 0] auth/pampass.c:smb_pam_passcheck(810) Jun 5 13:00:33 dfgsrv2 smbd[9148]: smb_pam_passcheck: PAM: smb_pam_auth failed - Rejecting User rma ! Jun 5 13:00:34 dfgsrv2 smbd[10665]: [2007/06/05 13:00:34, 0] auth/pampass.c:smb_pam_passcheck(810) Jun 5 13:00:34 dfgsrv2 smbd[10665]: smb_pam_passcheck: PAM: smb_pam_auth failed - Rejecting User amcq ! Jun 5 13:00:36 dfgsrv2 smbd[9148]: [2007/06/05 13:00:36, 0] auth/pampass.c:smb_pam_passcheck(810) Jun 5 13:00:36 dfgsrv2 smbd[9148]: smb_pam_passcheck: PAM: smb_pam_auth failed - Rejecting User rma ! Jun 5 13:00:36 dfgsrv2 smbd[10670]: [2007/06/05 13:00:36, 0] auth/pampass.c:smb_pam_passcheck(810) Jun 5 13:00:36 dfgsrv2 smbd[10670]: smb_pam_passcheck: PAM: smb_pam_auth failed - Rejecting User amcq ! Jun 5 13:00:38 dfgsrv2 smbd[9148]: [2007/06/05 13:00:38, 0] auth/pampass.c:smb_pam_passcheck(810) Jun 5 13:00:38 dfgsrv2 smbd[9148]: smb_pam_passcheck: PAM: smb_pam_auth failed - Rejecting User rma ! Jun 5 13:00:38 dfgsrv2 smbd[10671]: [2007/06/05 13:00:38, 0] auth/pampass.c:smb_pam_passcheck(810) Jun 5 13:00:38 dfgsrv2 smbd[10671]: smb_pam_passcheck: PAM: smb_pam_auth failed - Rejecting User amcq ! Jun 5 13:00:40 dfgsrv2 smbd[9148]: [2007/06/05 13:00:40, 0] auth/pampass.c:smb_pam_passcheck(810) Jun 5 13:00:40 dfgsrv2 smbd[9148]: smb_pam_passcheck: PAM: smb_pam_auth failed - Rejecting User rma ! Jun 5 13:00:43 dfgsrv2 smbd[9148]: [2007/06/05 13:00:43, 0] auth/pampass.c:smb_pam_passcheck(810) Jun 5 13:00:43 dfgsrv2 smbd[9148]: smb_pam_passcheck: PAM: smb_pam_auth failed - Rejecting User rma ! Jun 5 13:00:45 dfgsrv2 smbd[9148]: [2007/06/05 13:00:45, 0] auth/pampass.c:smb_pam_passcheck(810) Jun 5 13:00:45 dfgsrv2 smbd[9148]: smb_pam_passcheck: PAM: smb_pam_auth failed - Rejecting User rma ! Jun 5 13:00:47 dfgsrv2 smbd[9148]: [2007/06/05 13:00:47, 0] auth/pampass.c:smb_pam_passcheck(810) Jun 5 13:00:47 dfgsrv2 smbd[9148]: smb_pam_passcheck: PAM: smb_pam_auth failed - Rejecting User rma ! Jun 5 13:00:50 dfgsrv2 smbd[9148]: [2007/06/05 13:00:50, 0] auth/pampass.c:smb_pam_passcheck(810) Jun 5 13:00:50 dfgsrv2 smbd[9148]: smb_pam_passcheck: PAM: smb_pam_auth failed - Rejecting User rma ! Jun 5 13:00:51 dfgsrv2 smbd[10681]: [2007/06/05 13:00:51, 0] auth/pampass.c:smb_pam_passcheck(810) Jun 5 13:00:51 dfgsrv2 smbd[10681]: smb_pam_passcheck: PAM: smb_pam_auth failed - Rejecting User amcq ! I have upgraded my version of Samba to the latest one for RHEL 4 - samba-3.0.10-1.4E.12.2 Anyone got any ideas? On Fri, 2007-06-01 at 08:32 +0100, Mansell, Gary wrote: Hi, I have just upgraded a server from Samba 2 to Samba 3 and some of the Windows clients are taking a long time to authenticate shares (1 or 2 minutes). Eventually the username/password box appears and then when you enter a correct password, all is fine - it is just the initial authentication. This is a simple UNIX password Samba server (with NIS) and I have set it to not use encrypted passwords. I get these errors, repeatedly, in the messages file: [2007/06/01 08:29:26, 2] auth/pampass.c:smb_pam_auth(514) smb_pam_auth: PAM: Athentication Error for user mcr3 [2007/06/01 08:29:26, 2] auth/pampass.c:smb_pam_error_handler(73) smb_pam_error_handler: PAM: Authentication Failure : Authentication failure [2007/06/01 08:29:26, 0] auth/pampass.c:smb_pam_passcheck(810) smb_pam_passcheck: PAM: smb_pam_auth failed - Rejecting User mcr3 ! Here is my testparm output: # Global parameters [global] workgroup = DFGSRV server string = dfgsrv Samba Server %v encrypt passwords = No password level = 8 username level = 8 log level = 2 log file = /var/log/samba/%m.log max log size = 200 deadtime = 30 socket options = SO_KEEPALIVE SO_BROADCAST TCP_NODELAY IPTOS_THROUGHPUT dns proxy = No idmap uid = 16777216-33554431 idmap gid = 16777216-33554431 cups options = raw oplocks = No level2 oplocks = No [homes] comment = Home Directories read only = No create mask = 0664 directory mask = 0775 Any help gladly received as it is taking some of my users half an hour to disconnect from their previously mapped shares and to reconnect to them. The problem persists if a user logs out and back in again and after a Windows client machine reboot. Regards Gary - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - This e-mail and any files transmitted with it are confidential and
Re: [Samba] Samba authentication w/o using /etc/passwd?
Hi, Suse 10.1, Yast, authentication, choose samba greetings daniel Original-Nachricht Datum: Mon, 5 Mar 2007 09:05:19 -0800 Von: Young [EMAIL PROTECTED] An: samba@lists.samba.org CC: Betreff: [Samba] Samba authentication w/o using /etc/passwd? Hi, Is there a way to configure Samba w/o using /etc/passwd but only Samba's local password file only? I'm looking for a simple way to configure it to avoid using /etc/passwd, if there's a way. Thanks in advance! - Young -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba -- Der GMX SmartSurfer hilft bis zu 70% Ihrer Onlinekosten zu sparen! Ideal für Modem und ISDN: http://www.gmx.net/de/go/smartsurfer -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Samba Authentication of Local Linux Users
Michael Thrift wrote: I am not authenticating domain users, or windows users, and I don't want to use smbpasswd. Is there some way to force samba to authenticate against pam, and only pam? My goal is to not add an administrative load whatsoever. The last goal is not one you can achieve. If you want to authenticate against PAM, you have to set encrypt passwords = no. Note, however, that the man page says: The use of plain text passwords is NOT advised as support for this feature is no longer maintained in Microsoft Win- dows products. If you want to use plain text passwords you must set this parameter to no. Now, if you choose to set that option, you have to modify all of your clients, by importing the appropriate PlainPassword.reg file from the samba distribution. So, basically, you have a choice between modifying how you manage and change passwords, so that you can support a secure login method for SMB, or changing the configuration of all of your windows clients considerably degrading security. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Samba Authentication of Local Linux Users
Actually, I figured out what I wanted. I wasn't expressing it well, mainly cause I couldn't think straight after staring at the monitor for so long. Basically, what I didn't realize earlier is how pam_smbpasswd worked. After stepping away from the problem for a few hours it hit me with a huge DUR! pam_smbpasswd does exactly what I want. Of course I don't want clear text passwords, so by using pam_smbpasswd it automagically keeps both files up-to-date when a user changes their pass through passwd (I recognize that I'm preaching to the choir). Thanks for taking the time to read my post! Mike. Gordon Messmer wrote: Michael Thrift wrote: I am not authenticating domain users, or windows users, and I don't want to use smbpasswd. Is there some way to force samba to authenticate against pam, and only pam? My goal is to not add an administrative load whatsoever. The last goal is not one you can achieve. If you want to authenticate against PAM, you have to set encrypt passwords = no. Note, however, that the man page says: The use of plain text passwords is NOT advised as support for this feature is no longer maintained in Microsoft Win- dows products. If you want to use plain text passwords you must set this parameter to no. Now, if you choose to set that option, you have to modify all of your clients, by importing the appropriate PlainPassword.reg file from the samba distribution. So, basically, you have a choice between modifying how you manage and change passwords, so that you can support a secure login method for SMB, or changing the configuration of all of your windows clients considerably degrading security. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
RE: [Samba] Samba authentication slow against PDC
The x in 3.0.x is interesting. There has been a serious optimization in 3.0.10, significant more work there is to come in 3.0.11 Volker Actually the PDC and BDC are both running Samba v3.0.10 while the troublesome server is running 3.0.9. Commenting out the username level setting seems to have fixed our issue. I'm going to let the 3.0.9 server run for awhile and see if the authentication problem comes up again. If everything runs smoothly then I'm a little reluctant to upgrade it since I'm a firm believer in if it's not broke don't fix it. I'll also take a look at the release notes for 3.0.10 and 3.0.11 to see if anything specifically addresses the issue we were having. Thanks, Chris -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
RE: [Samba] Samba authentication slow against PDC
Just an update on what the fix for this problem was. It was an entry called username level which in our smb.conf file was set to 8. This caused the samba server to query ldap 256 times per user which caused the CPU on our PDC/LDAP server to peg. After setting this entry to 0 everything is working as it should. Chris -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Samba authentication slow against PDC
We are currently running three Samba 3.0.x file servers which authenticate against a Samba PDC running LDAP. 2 out of the 3 samba servers authenticate quickly(5 seconds) when using smbclient -L localhost -U username however the third will eventually time out saying Server did not respond in 2 milliseconds. NetBIOS over TCP disabled when there is any sort of load on it ~30% cpu usage. How many clients do you have running against your server(s). Have you ever considered a BDC? What program is chewing up the most cpu when you're at 30%? How many distinct samba processes do you have going? Try dropping in with a console and seeing how well a command like getent passwd or getent group, or even an ls -alF responds. If it's slow then your LDAP link could be to blame. Make sure that you've got nscd running on your PDC. Maybe you need to split your LDAP master off the machine (assuming it's not). These are some guesses I've seen cause issues, but maybe with more load information as to what is chewing up your cpu it will be more clear. -- -- Paul GiengerOffice: 701-281-1884 Applied Engineering Inc. Systems Architect Fax:701-281-1322 URL: www.ae-solutions.com mailto: [EMAIL PROTECTED] -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
RE: [Samba] Samba authentication slow against PDC
Paul, Thanks for your reply. How many clients do you have running against your server(s). Just shy of 1000. 952 total clients. ever considered a BDC? We do have a BDC although it doesn't take as much of a load off of our PDC as I would like. The PDC will run around 70% utilization during real busy times, usually in the morning, while the BDC will be running around 30-40%. People are still able to authenticate against the BDC and run their login scripts from the BDC so I know it is working. I was kicking around the idea of having BDCs at each customer location however client authentication doesn't seem to be the issue as much as our third samba server deciding if the user has access to a share. What program is chewing up the most cpu when you're at 30%? SMBD takes up 30% on the file server and SLAPD takes up to 70% on the PDC. How many distinct samba processes do you have going? Didn't look on the file server but I know the PDC had 1200 LDAP connections when it usually only has 200-500. Once I rebooted the problematic Samba server that number dropped to 170 or so. I will check tomorrow and let you know how many smbd processes I have running. Try dropping in with a console and seeing how well a command like getent passwd or getent group, or even an ls -alF responds. When I run getent passwd from the problem file server it responds almost immediately streaming user entries. Same with getent group. I can also do id username and it returns information within 1 second. A little slower than if the PDC and Fileserver had no load on them but it wasn't painfully slow. I did notice that when I ran ls -al in /homes it took a real long time(7 seconds) to display the directories. I'm wondering if the samba problem is because we have 1000 user home directories under /home. I'm not real familiar with the way Samba authenticates a user to access a share but this could definitely be a problem. If it's slow then your LDAP link could be to blame. Possibly, however our other 2 samba servers don't seem to have any issues when the third one does. Make sure that you've got nscd running on your PDC. I didn't enable nscd since I've read nscd can chew up system resources and cause stability issues. Since we are having stability issues anyway I'll enable it and let you know Tuesday if that made a difference. I'll keep working on it and let you know if I find anything. Thanks, Chris -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Samba authentication slow against PDC
On Mon, Jan 17, 2005 at 04:22:09PM -0600, Chris Snider wrote: We are currently running three Samba 3.0.x file servers which authenticate The x in 3.0.x is interesting. There has been a serious optimization in 3.0.10, significant more work there is to come in 3.0.11 Volker -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
RE: [Samba] Samba authentication against an NT group in Apache
Hi, I have exactly the same problem with my web server ... Linux/redhat9.0 / kernel 2.4.20-20.9.1 (+ Acl patches) Samba 3.0.2a / compiles with winbind and Acl options Apache 2.0.40 / with mod_auth_pam 2.xx included Authentication to samba share from a windows workstation using Acl + winbind + Nt domain groups works fine. But I gave some problems when I want to use NT domain groups to restrict web access to web directory ... only single user autorization works fine but ... never with a domain group ... Note that single authorization works fine but in sensitive case mode ... If I specify require group MyDomain\MyUser in the .htaccess file, I MUST exactly type MyDomain\MyUser on the keyboard when the identification box appears ! It doesn't work if type mydomain\myuser ! Do you have solved your problem or found an acceptable solution to use domain groups ? Thanks a lot for your help. Christian PIGNOL -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Adam H. Lewenberg Sent: lundi 9 février 2004 19:40 To: [EMAIL PROTECTED] Subject: [Samba] Samba authentication against an NT group in Apache We would like to have our Apache Linux-based web server use our existing NT domain to authenticate some of our web pages. We are using the Apache module mod_auth_pam to use pam-based authentication and then the winbind pam module to do the actual authentication. We have gotten to the point where we can authenticate using NT _users_, but we have not been able to authenticate using _groups_. For example, we can restrict a web page so that only the NT user joeuser can gain access to the page, but we have been unable to configure Apache so that any user of the NT group SpecialAccess (of which joeuser is a member) can gain access but no one else. Here is the .htaccess file we used to try to do this: ## AuthPAM_Enabled On AuthPAM_FallThrough Off AuthAuthoritative Off AuthType Basic AuthName test require group OURNTDOMAIN\SpecialAccess ## Apache generates the following error: ## [Mon Feb 02 16:20:40 2004] [crit] [client 130.126.35.93] configuration error: couldn't check access. No groups file?: /grouptest/index.html ## Here are some more details on our setup: --- Linux Redhat Enterprise Linux 3 Samba Version 3.0.0-14.3E Apache 2.0.46 mod_pam_auth 2.0-1.1.1 The configuration file that mod_auth_pam uses is called /etc/pam.d/httpd and contains the lines ## auth required /lib/security/pam_winbind.so accountrequired /lib/security/pam_winbind.so ## The samba configuration file contains these lines: ## [global] workgroup = OURNTDOMAIN encrypt passwords = yes security = domain password server = pdccontroller1 winbind use default domain = yes idmap uid = 1-2 idmap gid = 1-2 winbind enum users = yes winbind enum groups = yes winbind use default domain = yes Any ideas or suggestions are very welcome. Thank you. Alan L. -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba -- Notice: This e-mail message, together with any attachments, contains information of Merck Co., Inc. (One Merck Drive, Whitehouse Station, New Jersey, USA 08889), and/or its affiliates (which may be known outside the United States as Merck Frosst, Merck Sharp Dohme or MSD and in Japan as Banyu) that may be confidential, proprietary copyrighted and/or legally privileged. It is intended solely for the use of the individual or entity named on this message. If you are not the intended recipient, and have received this message in error, please notify us immediately by reply e-mail and then delete it from your system. -- -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Samba authentication via pam
Mike Klein írta: My pam file for samba has pam_nologin for auth. I would like to remove as many password files as possible for services on my linux box and have them go thru pam and etc/shadow. Is it possible for samba to auth thru pam? and then I can eliminate smbpasswd file? Yes it is possible, but everyone recomend against it, because it requires you to specify encrypt password = no in your smb.conf and various registry patches on your clients. The worst thing would be, that in that case every password would be sent in cear text over the wire. Best Regards! Geza Gemes -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Samba authentication via pam
On Tue, 23 Sep 2003, Mike Klein wrote: My pam file for samba has pam_nologin for auth. I would like to remove as many password files as possible for services on my linux box and have them go thru pam and etc/shadow. Is it possible for samba to auth thru pam? and then I can eliminate smbpasswd file? Your question implies way too many possibilities. I wrote a book that answers your questions. Suggest you read it. It will be on the bookstore shelves by October 24th. The Official Samba-3 HOWTO and Reference Guide. This is also available (minus a little content) as the Samba-HOWTO-Collection.pdf that ships with samba-3.0.0RC4. Its in the ~samba/docs directory, and is also available from the Samba web pages under docuemtents. - John T. -- John H Terpstra Email: [EMAIL PROTECTED] -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
RE: [Samba] Samba authentication via pam
I don't think unencrypted passwords=no will be a problem for me as I am running on my own private LAN. I don't expose smb traffic over the internet, and when I need samba remotely I do it via vpn/pptp. In my test last night I forgot to set unencryptedpasswords=no...thanks for the reminder. mike -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Gémes Géza Sent: Tuesday, September 23, 2003 8:39 AM To: [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Subject: Re: [Samba] Samba authentication via pam Mike Klein írta: My pam file for samba has pam_nologin for auth. I would like to remove as many password files as possible for services on my linux box and have them go thru pam and etc/shadow. Is it possible for samba to auth thru pam? and then I can eliminate smbpasswd file? Yes it is possible, but everyone recomend against it, because it requires you to specify encrypt password = no in your smb.conf and various registry patches on your clients. The worst thing would be, that in that case every password would be sent in cear text over the wire. Best Regards! Geza Gemes -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Samba authentication
I have two separate subnets, two servers, and one domain. I want to serve half of my users from server A and half from server B, but all users would be able to log onto both subnets. The reason I want to separate them like this is so that the home directories and profiles will be split between the servers. Is it possible to serve the profiles and home dirs from a samba server the user doesn't authenticate with? In other words, what I'd like is for a user on server A (controlling subnet A) to be able to log into a PC on subnet A and B and have his home dir and profile servered from server A. At the same time, I'd like different users to have the same ability using server B. Rob [EMAIL PROTECTED] wrote: I think it is possible, but why would you do it? What you said sounds weird. Why do you want both servers to auth from ech other first? Normally you would only have server B auth from server A and then B. And server A auth from server A then B. Are you sure you don't want to replicate servers A B's databases? - Original Message - From: Robert Rati [EMAIL PROTECTED] Date: Wednesday, September 10, 2003 7:31 am Subject: [Samba] Samba authentication Is it possible to have two samba servers in two separate domains acting as PDCs authenticate against each other for logins? IE server A attempts to authenticate against B and then itself, and server B attempts to authenticate against A and then itself. Any help doing this would be very much appreciated. Rob -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] samba authentication
On Sat, 2003-02-22 at 15:23, Daniel Provin wrote: Hi I've read a lot about setting up samba as a password server, and authenticating unix users against a samba server, but is there any way to authenticate samba users (like on logon) against the unix users and passwords (th users on the passwd and on the shadow files)? yes you can do it with unencrypted passwords i don't recommend this... in practice it is not a problem to keep the unix and samba passwords in sync (pam_smbpass for unix password changes) and the samba built in unix updaters for changes from windows. brad -- Bradley W. Langhorst [EMAIL PROTECTED] -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] samba authentication
okay so, I just need to activate the pam_smbpass module to keep de smbpass with the last password but is there any way to build an initial list of passwords from unix passwords? Daniel Provin Linux User #191271 EEL LABMETRO UFSC On 22 Feb 2003, Bradley W. Langhorst wrote: On Sat, 2003-02-22 at 15:23, Daniel Provin wrote: Hi I've read a lot about setting up samba as a password server, and authenticating unix users against a samba server, but is there any way to authenticate samba users (like on logon) against the unix users and passwords (th users on the passwd and on the shadow files)? yes you can do it with unencrypted passwords i don't recommend this... in practice it is not a problem to keep the unix and samba passwords in sync (pam_smbpass for unix password changes) and the samba built in unix updaters for changes from windows. brad -- Bradley W. Langhorst [EMAIL PROTECTED] -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] samba authentication
On Sat, 2003-02-22 at 15:55, Daniel Provin wrote: okay so, I just need to activate the pam_smbpass module to keep de smbpass with the last password but is there any way to build an initial list of passwords from unix passwords? well you could crack all your users passwords... probably wouldn't take more than a few weeks if you're using crypt. seriously - i don't know an easy way to deal with this problem. You might be able to configure pam to update the samba password upon login. or put the smbpasswd program into the logon script so that your users change it when the log in brad -- Bradley W. Langhorst [EMAIL PROTECTED] -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] samba authentication
Hi, Create a Perl wrapper to update both passwd and smbpasswd. Bri- __ Do you Yahoo!? Yahoo! Tax Center - forms, calculators, tips, more http://taxes.yahoo.com/ -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] samba authentication
is crypt that bad? :) anyways, gonna put the pam_smbpass to work first ! thanks Daniel Provin Linux User #191271 EEL LABMETRO UFSC On 22 Feb 2003, Bradley W. Langhorst wrote: On Sat, 2003-02-22 at 15:55, Daniel Provin wrote: okay so, I just need to activate the pam_smbpass module to keep de smbpass with the last password but is there any way to build an initial list of passwords from unix passwords? well you could crack all your users passwords... probably wouldn't take more than a few weeks if you're using crypt. seriously - i don't know an easy way to deal with this problem. You might be able to configure pam to update the samba password upon login. or put the smbpasswd program into the logon script so that your users change it when the log in brad -- Bradley W. Langhorst [EMAIL PROTECTED] -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
RE: [Samba] Samba Authentication against NT domain
No, not in my experience. Since Samba (in domain mode) will forward all authentication requests to the PDC of the domain, it just has to join the domain (which causes the PDC to create a machine account for the Samba server automagically). Beast [EMAIL PROTECTED] 01/09/03 20:20 PM At 01:48 PM 1/9/2003 -0600, you wrote: Try something like this... ... # useradd machine% -- with the dollar sign # smbpasswd -a -m machine Is this command required? its for samba acting as PDC only. from man page : -m This option tells smbpasswd that the account being changed is a MACHINE account. Currently this is used when Samba is being used as an NT Primary Domain Controller. -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
RE: [Samba] Samba Authentication against NT domain
At 06:51 AM 1/10/2003 -0600, Troy.A Johnson wrote: No, not in my experience. Since Samba (in domain mode) will forward all authentication requests to Correct, in fact we can have blank smbpasswd as long as account already in /etc/passwd. however, problem with this forward model is we need to add this samba server to allowed logon w/s in nt user account, still not similar to NT domain member :( the PDC of the domain, it just has to join the domain (which causes the PDC to create a machine account for the Samba server automagically). machine account will be store in pdc (nt), not samba. -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Samba Authentication against NT domain
Hi You have to set the parameter security to domain or server; security = server -- if you are going to use another samba box to authenticate Security = domain -- if you are going to use a NT box to authenticate if you use domain you have to set encrypt passwords = yes and password server = your-pdc your-bdc I thing that´s all.. On Thu, 2003-01-09 at 12:10, Gram, Danielle A. wrote: Hi Everyone, I have Samba version 2.2.2 installed on an HP-UX 11.0 server. With Samba, I have users on NT/2000 clients mapping drives to the server, but I want it to authenticate automatically (against their NT domain accounts). Currently, when a user maps a drive to the server, they are prompted for a Samba password. But, I only want to create one account for each user on the UNIX server and have them authenticate and map automatically (without being prompted), so I don't have to create Samba accounts too. Currently, we have another server running Samba that is doing this, but I can't remember what the setting/configuration is. I have searched all through SWAT and haven't found it. I was thinking there was a switch in some other file...?? Any ideas?? I would really appreciate any help... Thanks, Danielle ** Danielle A. Gram Phone: (330) 471-3081 E-Mail: [EMAIL PROTECTED] ** ** This message and any attachments are intended for the individual or entity named above. If you are not the intended recipient, please do not forward, copy, print, use or disclose this communication to others; also please notify the sender by replying to this message, and then delete it from your system. The Timken Company ** -- Aldo Damian Ambriz Martinez Depto Sistemas Operativos El Palacio de Hierro S.A. de C.V 52295401 ext 1118 -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
RE: [Samba] Samba Authentication against NT domain
Hi, Thank you for the information, but I already have all those settings in my smb.conf file. Actually, I have compared the two smb.conf files (on the system that works and the one that doesn't) and they are EXACTLY the same except for server name and IP address. I was thinking there was some other file or setting, possibly in the OS and not in the regular Samba files??? Any other ideas? Thanks again, Danielle -Original Message- From: Aldo Damian Ambriz Martinez -- Unix SysAdmin [mailto:[EMAIL PROTECTED]] Sent: Thursday, January 09, 2003 1:42 PM Cc: '[EMAIL PROTECTED]' Subject: Re: [Samba] Samba Authentication against NT domain Hi You have to set the parameter security to domain or server; security = server -- if you are going to use another samba box to authenticate Security = domain -- if you are going to use a NT box to authenticate if you use domain you have to set encrypt passwords = yes and password server = your-pdc your-bdc I thing that´s all.. On Thu, 2003-01-09 at 12:10, Gram, Danielle A. wrote: Hi Everyone, I have Samba version 2.2.2 installed on an HP-UX 11.0 server. With Samba, I have users on NT/2000 clients mapping drives to the server, but I want it to authenticate automatically (against their NT domain accounts). Currently, when a user maps a drive to the server, they are prompted for a Samba password. But, I only want to create one account for each user on the UNIX server and have them authenticate and map automatically (without being prompted), so I don't have to create Samba accounts too. Currently, we have another server running Samba that is doing this, but I can't remember what the setting/configuration is. I have searched all through SWAT and haven't found it. I was thinking there was a switch in some other file...?? Any ideas?? I would really appreciate any help... Thanks, Danielle ** Danielle A. Gram Phone: (330) 471-3081 E-Mail: [EMAIL PROTECTED] ** ** This message and any attachments are intended for the individual or entity named above. If you are not the intended recipient, please do not forward, copy, print, use or disclose this communication to others; also please notify the sender by replying to this message, and then delete it from your system. The Timken Company ** -- Aldo Damian Ambriz Martinez Depto Sistemas Operativos El Palacio de Hierro S.A. de C.V 52295401 ext 1118 -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
RE: [Samba] Samba Authentication against NT domain
Danielle, Did you join the domain with the new Samba server? smbpasswd -j DOMAIN -U Administrator (or something similar). Good luck, Troy Gram, Danielle A. [EMAIL PROTECTED] 01/09/03 12:59PM Any other ideas? On Thu, 2003-01-09 at 12:10, Gram, Danielle A. wrote: Hi Everyone, I have Samba version 2.2.2 installed on an HP-UX 11.0 server. With Samba, I have users on NT/2000 clients mapping drives to the server, but I want it to authenticate automatically (against their NT domain accounts). Currently, when a user maps a drive to the server, they are prompted for a Samba password. But, I only want to create one account for each user on the UNIX server and have them authenticate and map automatically (without being prompted), so I don't have to create Samba accounts too. Currently, we have another server running Samba that is doing this, but I can't remember what the setting/configuration is. I have searched all through SWAT and haven't found it. I was thinking there was a switch in some other file...?? Any ideas?? I would really appreciate any help... -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
RE: [Samba] Samba Authentication against NT domain
Try something like this... [global] workgroup = yourdomain security = domain encrypt passwords = yes password server = pdc bdc -- # smbpasswd -j yourdomain -Uadministrator%password # useradd machine% -- with the dollar sign # smbpasswd -a -m machine machine = your server. bye On Thu, 2003-01-09 at 12:59, Gram, Danielle A. wrote: Hi, Thank you for the information, but I already have all those settings in my smb.conf file. Actually, I have compared the two smb.conf files (on the system that works and the one that doesn't) and they are EXACTLY the same except for server name and IP address. I was thinking there was some other file or setting, possibly in the OS and not in the regular Samba files??? Any other ideas? Thanks again, Danielle -Original Message- From: Aldo Damian Ambriz Martinez -- Unix SysAdmin [mailto:[EMAIL PROTECTED]] Sent: Thursday, January 09, 2003 1:42 PM Cc: '[EMAIL PROTECTED]' Subject: Re: [Samba] Samba Authentication against NT domain Hi You have to set the parameter security to domain or server; security = server -- if you are going to use another samba box to authenticate Security = domain -- if you are going to use a NT box to authenticate if you use domain you have to set encrypt passwords = yes and password server = your-pdc your-bdc I thing that´s all.. On Thu, 2003-01-09 at 12:10, Gram, Danielle A. wrote: Hi Everyone, I have Samba version 2.2.2 installed on an HP-UX 11.0 server. With Samba, I have users on NT/2000 clients mapping drives to the server, but I want it to authenticate automatically (against their NT domain accounts). Currently, when a user maps a drive to the server, they are prompted for a Samba password. But, I only want to create one account for each user on the UNIX server and have them authenticate and map automatically (without being prompted), so I don't have to create Samba accounts too. Currently, we have another server running Samba that is doing this, but I can't remember what the setting/configuration is. I have searched all through SWAT and haven't found it. I was thinking there was a switch in some other file...?? Any ideas?? I would really appreciate any help... Thanks, Danielle ** Danielle A. Gram Phone: (330) 471-3081 E-Mail: [EMAIL PROTECTED] ** ** This message and any attachments are intended for the individual or entity named above. If you are not the intended recipient, please do not forward, copy, print, use or disclose this communication to others; also please notify the sender by replying to this message, and then delete it from your system. The Timken Company ** -- Aldo Damian Ambriz Martinez Depto Sistemas Operativos El Palacio de Hierro S.A. de C.V 52295401 ext 1118 -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba -- Aldo Damian Ambriz Martinez Depto Sistemas Operativos El Palacio de Hierro S.A. de C.V 52295401 ext 1118 -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
RE: [Samba] Samba Authentication against NT domain
Thanks very much! That worked! -Original Message- From: Aldo Damian Ambriz Martinez -- Unix SysAdmin [mailto:[EMAIL PROTECTED]] Sent: Thursday, January 09, 2003 2:48 PM Cc: '[EMAIL PROTECTED]' Subject: RE: [Samba] Samba Authentication against NT domain Try something like this... [global] workgroup = yourdomain security = domain encrypt passwords = yes password server = pdc bdc -- # smbpasswd -j yourdomain -Uadministrator%password # useradd machine% -- with the dollar sign # smbpasswd -a -m machine machine = your server. bye On Thu, 2003-01-09 at 12:59, Gram, Danielle A. wrote: Hi, Thank you for the information, but I already have all those settings in my smb.conf file. Actually, I have compared the two smb.conf files (on the system that works and the one that doesn't) and they are EXACTLY the same except for server name and IP address. I was thinking there was some other file or setting, possibly in the OS and not in the regular Samba files??? Any other ideas? Thanks again, Danielle -Original Message- From: Aldo Damian Ambriz Martinez -- Unix SysAdmin [mailto:[EMAIL PROTECTED]] Sent: Thursday, January 09, 2003 1:42 PM Cc: '[EMAIL PROTECTED]' Subject: Re: [Samba] Samba Authentication against NT domain Hi You have to set the parameter security to domain or server; security = server -- if you are going to use another samba box to authenticate Security = domain -- if you are going to use a NT box to authenticate if you use domain you have to set encrypt passwords = yes and password server = your-pdc your-bdc I thing that´s all.. On Thu, 2003-01-09 at 12:10, Gram, Danielle A. wrote: Hi Everyone, I have Samba version 2.2.2 installed on an HP-UX 11.0 server. With Samba, I have users on NT/2000 clients mapping drives to the server, but I want it to authenticate automatically (against their NT domain accounts). Currently, when a user maps a drive to the server, they are prompted for a Samba password. But, I only want to create one account for each user on the UNIX server and have them authenticate and map automatically (without being prompted), so I don't have to create Samba accounts too. Currently, we have another server running Samba that is doing this, but I can't remember what the setting/configuration is. I have searched all through SWAT and haven't found it. I was thinking there was a switch in some other file...?? Any ideas?? I would really appreciate any help... Thanks, Danielle ** Danielle A. Gram Phone: (330) 471-3081 E-Mail: [EMAIL PROTECTED] ** ** This message and any attachments are intended for the individual or entity named above. If you are not the intended recipient, please do not forward, copy, print, use or disclose this communication to others; also please notify the sender by replying to this message, and then delete it from your system. The Timken Company ** -- Aldo Damian Ambriz Martinez Depto Sistemas Operativos El Palacio de Hierro S.A. de C.V 52295401 ext 1118 -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba -- Aldo Damian Ambriz Martinez Depto Sistemas Operativos El Palacio de Hierro S.A. de C.V 52295401 ext 1118 -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
RE: [Samba] Samba Authentication against NT domain
At 01:48 PM 1/9/2003 -0600, you wrote: Try something like this... ... # useradd machine% -- with the dollar sign # smbpasswd -a -m machine Is this command required? its for samba acting as PDC only. from man page : -m This option tells smbpasswd that the account being changed is a MACHINE account. Currently this is used when Samba is being used as an NT Primary Domain Controller. -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Samba authentication
Each user that needs to access the server will need to be a linux user as well, with unix permissions to access the directory in question. It is best to use user security instead of domain with password synchronization between samba and unix enabled. Any users created in unix will be added to samba. If this becomes an issue (too many users, two systems to maintain), you may want to consider mapping bad usernames to guest, setting the guest user up as a generic user in unix, then allowing guest access to the share. This pretty much opens the share up to everyone, something you may wisn to avoid. This is usually done when deploying Samba as a print server. It avoids administrative overhead. You can also use winbind to synchronize samba permissions with a NT domain. This is beyond me, someone else could step up to help you there. Another thing to consider - the samba user needs to have permissions to access the unix directory. Samba permissions and unix permissions are two distinct issues. You could share a directory in samba that nobody can read, let alone write to from Windows. The individual users need to have access, or better yet the group to which they belong. Conversely, if you map to guest, make certain the guest user has rights to the unix directory. You may want to download Webmin (www.webmin.com). It gives you a nice web-based interface to manage everything. Good luck, Steve - Original Message - From: [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Saturday, September 28, 2002 6:03 AM Subject: [Samba] Samba authentication Hi, I'm trying to set up samba for the first time. I can already ping the linux machine from a windows machine by its NetBIOS name. But when I try to do \\linux (thats the machine name) it asks me for username and password Here goes my smb.conf file: [global] workgroup = NS netbios name = Linux server string = Samba Server hosts allow = 192.168.69. 127. interfaces = 192.168.69.110/24 log file = /var/log/log.%m max log size = 50 security = domain password server = * encrypt passwords = yes socket options = TCP_NODELAY os level = 255 wins support = no dns support = no Do I have to create users locally, or say that specific users from the domain can access the server? I haven't created any share yet, might that be a problem too? Thanks in advance... Filipe Joel de ALmeida -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
RE: [Samba] Samba authentication
Thanks Steve for your time. I'm trying to do everything by hand and without any GUI or wizards, so that I really learn how things work, so I'm having a little more work (specially because I just started using linux this week) but I think that with time it will be better this way. My idea for now is to have a Linux server integrated into a W2K domain, and providing that domain users with files. I have the users in the domain grouped in several groups. Isn't there any way that I, on the linux machine, share folders for a certain group and every user that is created in W2K and added to that group has access to that folder. My problem is that my first production deployment of samba is in a network of 100+ users with some rotativity (lots of users gone, and new come in). I really don't want to have to create each user twice. Can anyone tell me a way to implement this kind of slution? Filipe Joel de Almeida Network Consultant [EMAIL PROTECTED] -Original Message- From: Steve Thom [mailto:[EMAIL PROTECTED]] Sent: sábado, 28 de Setembro de 2002 17:59 To: [EMAIL PROTECTED]; [EMAIL PROTECTED] Subject: Re: [Samba] Samba authentication Each user that needs to access the server will need to be a linux user as well, with unix permissions to access the directory in question. It is best to use user security instead of domain with password synchronization between samba and unix enabled. Any users created in unix will be added to samba. If this becomes an issue (too many users, two systems to maintain), you may want to consider mapping bad usernames to guest, setting the guest user up as a generic user in unix, then allowing guest access to the share. This pretty much opens the share up to everyone, something you may wisn to avoid. This is usually done when deploying Samba as a print server. It avoids administrative overhead. You can also use winbind to synchronize samba permissions with a NT domain. This is beyond me, someone else could step up to help you there. Another thing to consider - the samba user needs to have permissions to access the unix directory. Samba permissions and unix permissions are two distinct issues. You could share a directory in samba that nobody can read, let alone write to from Windows. The individual users need to have access, or better yet the group to which they belong. Conversely, if you map to guest, make certain the guest user has rights to the unix directory. You may want to download Webmin (www.webmin.com). It gives you a nice web-based interface to manage everything. Good luck, Steve - Original Message - From: [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Saturday, September 28, 2002 6:03 AM Subject: [Samba] Samba authentication Hi, I'm trying to set up samba for the first time. I can already ping the linux machine from a windows machine by its NetBIOS name. But when I try to do \\linux (thats the machine name) it asks me for username and password Here goes my smb.conf file: [global] workgroup = NS netbios name = Linux server string = Samba Server hosts allow = 192.168.69. 127. interfaces = 192.168.69.110/24 log file = /var/log/log.%m max log size = 50 security = domain password server = * encrypt passwords = yes socket options = TCP_NODELAY os level = 255 wins support = no dns support = no Do I have to create users locally, or say that specific users from the domain can access the server? I haven't created any share yet, might that be a problem too? Thanks in advance... Filipe Joel de ALmeida -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Samba authentication through NIS
On Fri, May 10, 2002 at 02:35:05PM -0400, Anna Arbit wrote: I got rid of the Domain conroller (well.. it crashed).. and there is no need to have one. So right now i'm trying to make users authenticate vis NIS. Is that at all possible? Samba can authenticate with NIS passwords if your client machines use cleartext passwords. As I recall, all versions of Windows after Windows 95 (or actually everything starting from NT4+SP3) want to use encrypted passwords only. I know that there are registry patches included with Samba to allow cleartext passwords, but you will have to apply them to every client PC. Look at the ENCRYPTION.txt file in the Samba documentation for more information on this, and look at the description of the encrypt passwords option in smb.conf. Personally, I would suggest setting up UNIX password sync instead. If you have more than a few client PCs it would be easier to get that working than to go around and apply registry changes to every PC, and you wouldn't have to remember to do it when you add or reinstall a machine. There are some complications with getting passwd sync and NIS to work together, check the list archives for the discussions. -- That feeling just came over me. -- Albert DeSalvo, the Boston Strangler -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba