Re: [Samba] Samba+LDAP: NT_STATUS_UNSUCCESSFUL because of primary group SID mismatch
Al 20/06/13 17:12, En/na Gaiseric Vandal ha escrit: If you want to centralize the samba accounts I think the proper way would be to use member servers. Just yesterday I had the same problem with a member server (running samba 3.6.15), pointing to the ldap server on the domain controller (3.5.2). No matter what I did, net setlocalsid seemed to do nothing. I don't remember what I did to finally solve it, I only know that I deleted secrets.tdb (and/or the rest of the tdb files) a million times, deleting the domain for the new server in ldap, and trying to set the localsid before joining the domain, and finally the member server got the same sid as the domain (also stored in ldap). I'm not convinced it's 100% working yet, (e.g. smbclient -L shows the workgroup but not the master) but at least it doesn't complain and I can see its shares. The funny thing is, I have another member server, which has been working fine (samba 3.5.6) for a while, yet yesterday, while trying to debug the new server, I discovered it complained about the same sid mismatch. Bye -- Luca Olivetti Wetron Automation Technology http://www.wetron.es Tel. +34 935883004 Fax +34 935883007 -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba+LDAP: NT_STATUS_UNSUCCESSFUL because of primary group SID mismatch
On Thu, 2013-06-20 at 10:26 +0200, Philipp Lies wrote: Hi, I'm trying to get my new samba server running for a few days now and I start losing my mind over not figuring out what I'm doing wrong. Here's my setup: OpenLDAP 2.4.21 server with ~15 groups and 100 users, all having a unix and a samba NT password stored in the LDAP as well as a User SID and Primary Group SID assigned and stored in the LDAP, derived from the SID of the LDAP Server. Now I want several samba servers to use the LDAP server to authenticate users. If you want multiple samba servers to use the same LDAP backend, they essentially all need to be domain controllers of the same domain. This is the supported way to have a single backend shared between multiple servers. You don't need to ever use the DC function from windows clients, but the servers need to think they are a DC. Andrew Bartlett -- Andrew Bartletthttp://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba+LDAP: NT_STATUS_UNSUCCESSFUL because of primary group SID mismatch
For me the better way would be, to run serveral openldap servers in master master replication on your DC and several BDC. And no headache about anything. Or just point your BSCs to authenticate against the DCs openldap. But when your DC is down your authentication is gone. Greetings Daniel --- EDV Daniel Müller Leitung EDV Tropenklinik Paul-Lechler-Krankenhaus Paul-Lechler-Str. 24 72076 Tübingen Tel.: 07071/206-463, Fax: 07071/206-499 eMail: muel...@tropenklinik.de Internet: www.tropenklinik.de --- -Ursprüngliche Nachricht- Von: samba-boun...@lists.samba.org [mailto:samba-boun...@lists.samba.org] Im Auftrag von Andrew Bartlett Gesendet: Freitag, 21. Juni 2013 09:58 An: Philipp Lies Cc: samba@lists.samba.org Betreff: Re: [Samba] Samba+LDAP: NT_STATUS_UNSUCCESSFUL because of primary group SID mismatch On Thu, 2013-06-20 at 10:26 +0200, Philipp Lies wrote: Hi, I'm trying to get my new samba server running for a few days now and I start losing my mind over not figuring out what I'm doing wrong. Here's my setup: OpenLDAP 2.4.21 server with ~15 groups and 100 users, all having a unix and a samba NT password stored in the LDAP as well as a User SID and Primary Group SID assigned and stored in the LDAP, derived from the SID of the LDAP Server. Now I want several samba servers to use the LDAP server to authenticate users. If you want multiple samba servers to use the same LDAP backend, they essentially all need to be domain controllers of the same domain. This is the supported way to have a single backend shared between multiple servers. You don't need to ever use the DC function from windows clients, but the servers need to think they are a DC. Andrew Bartlett -- Andrew Bartletthttp://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba+LDAP: NT_STATUS_UNSUCCESSFUL because of primary group SID mismatch
Thanks for the recommendations! I was hoping that there'd be a simple solution/config parameter to force the samba server trust the LDAP (it's still puzzling me why the other machines I have do work like that). I'll try to set up my new servers as DCs and see how this goes. The idea with using the samba servers for LDAP replication as well sounds interesting. I'll look into that as well. Thanks! Philipp On 21.06.2013 10:23, Daniel Müller wrote: For me the better way would be, to run serveral openldap servers in master master replication on your DC and several BDC. And no headache about anything. Or just point your BSCs to authenticate against the DCs openldap. But when your DC is down your authentication is gone. Greetings Daniel --- EDV Daniel Müller Leitung EDV Tropenklinik Paul-Lechler-Krankenhaus Paul-Lechler-Str. 24 72076 Tübingen Tel.: 07071/206-463, Fax: 07071/206-499 eMail: muel...@tropenklinik.de Internet: www.tropenklinik.de --- -Ursprüngliche Nachricht- Von: samba-boun...@lists.samba.org [mailto:samba-boun...@lists.samba.org] Im Auftrag von Andrew Bartlett Gesendet: Freitag, 21. Juni 2013 09:58 An: Philipp Lies Cc: samba@lists.samba.org Betreff: Re: [Samba] Samba+LDAP: NT_STATUS_UNSUCCESSFUL because of primary group SID mismatch On Thu, 2013-06-20 at 10:26 +0200, Philipp Lies wrote: Hi, I'm trying to get my new samba server running for a few days now and I start losing my mind over not figuring out what I'm doing wrong. Here's my setup: OpenLDAP 2.4.21 server with ~15 groups and 100 users, all having a unix and a samba NT password stored in the LDAP as well as a User SID and Primary Group SID assigned and stored in the LDAP, derived from the SID of the LDAP Server. Now I want several samba servers to use the LDAP server to authenticate users. If you want multiple samba servers to use the same LDAP backend, they essentially all need to be domain controllers of the same domain. This is the supported way to have a single backend shared between multiple servers. You don't need to ever use the DC function from windows clients, but the servers need to think they are a DC. Andrew Bartlett -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba+LDAP: NT_STATUS_UNSUCCESSFUL because of primary group SID mismatch
If I follow correctly the LDAP server is NOT in the domain? The Samba accounts should be using the SID of the Samba PDC not the SID of the LDAP server. This of course means that a Samba member server can't use the same LDAP back end (at least for Samba authentication.) Long and short - I found it easiest to have LDAP server on the same machine as the DC. I have one PDC and one BDC (sometimes 2 BDC's.) Each PDC uses its own ldap server and the ldap servers are configure for replication. The simplest solution may be to set the local and domain sid of the LDAP server to the same sid as the DC, and join the LDAP server to the domain as a DC. On 06/20/13 04:26, Philipp Lies wrote: Hi, I'm trying to get my new samba server running for a few days now and I start losing my mind over not figuring out what I'm doing wrong. Here's my setup: OpenLDAP 2.4.21 server with ~15 groups and 100 users, all having a unix and a samba NT password stored in the LDAP as well as a User SID and Primary Group SID assigned and stored in the LDAP, derived from the SID of the LDAP Server. Now I want several samba servers to use the LDAP server to authenticate users. One samba server is a CentOS 6.3 configured with NSS/PAM using the ldap server. getent passwd/group returns all users and ssh to the samba machine works for all users. Samba is v3.6.9-151.el6. Now here's the smb.conf (I removed the shares): [global] workgroup = X security = user passdb backend = ldapsam:ldap://myldapserver ldap suffix = dc=mydomain,dc=com ldap admin dn = cn=replicator,dc=mydomain,dc=com ldap user suffix = ou=users ldap group suffix = ou=groups ldap machine suffix = ou=computers ldap ssl = start tls The ldap connection works, as `pdbedit -L` shows pm_process() returned Yes smbldap_search_domain_info: Searching for:[((objectClass=sambaDomain)(sambaDomainName=SAMBAHOSTNAME))] StartTLS issued: using a TLS connection smbldap_open_connection: connection opened ldap_connect_system: successful connection to the LDAP server The LDAP server is successfully connected smbldap_search_paged: base = [dc=mydomain,dc=com], filter = [((uid=*)(objectclass=sambaSamAccount))],scope = [2], pagesize = [1024] smbldap_search_paged: search was successful sid S-1-5-21-[LDAPSID]-5168 does not belong to our domain and then the last message repeats for all uids. Using `smbclient -L localhost -U someid` the log file says: check_ntlm_password: Checking password for unmapped user [XXX]\[someid]@[SAMBAHOST] with the new password interface check_ntlm_password: mapped user is: [SAMBAHOST]\[someid]@[SAMBAHOST] StartTLS issued: using a TLS connection smbldap_open_connection: connection opened ldap_connect_system: successful connection to the LDAP server The LDAP server is successfully connected init_sam_from_ldap: Entry found for user: someid Home server: SAMBAHOST Home server: SAMBAHOST init_group_from_ldap: Entry found for group: 1011 init_group_from_ldap: Entry found for group: 1011 Primary group S-1-5-21-[LDAPSID]-1000 for user someid is a UNKNOWN and not a domain group Forcing Primary Group to 'Domain Users' for someid ntlm_password_check: Checking NTLMv2 password with domain [CIN] sam_account_ok: Checking SMB password for user someid The primary group domain sid(S-1-5-21-[LOCALSID]-513) does not match the domain sid(S-1-5-21-[LDAPSID]) for someid(S-1-5-21-[LDAPSID]-5708) check_sam_security: make_server_info_sam() failed with 'NT_STATUS_UNSUCCESSFUL' check_ntlm_password: Authentication for user [someid] - [someid] FAILED with error NT_STATUS_UNSUCCESSFUL What I see here is that the samba server does not recognize the primary group of the user (which is an existing group in the LDAP) and therefor maps the primary group to its local Domain Users group which then obviously does not match the domainSID of the userid. But why doesn't the samba server recognize the group? Or is there a different underlying problem? What I tried so far: Changing the SID of the samba server to the SID of the LDAP server, but `net setlocalsid S-...` did not change the local SID. No error message, just executed successfully but getlocalsid returned the old SID. Setting the domainsid of the samba server to the SID of the ldap server. `net setdomainsid S-...` was successful but the samba server still refuses to authenticate the users. Tried adding the server to the domain with `net join XXX` but the answer was just standalone server cannot join domain. I tried to run `smbpasswd -a` to add the user to the local samba db (even though this would not be an option for the final solution, but that's what other users recommended), but the error didn't change. How can I either tell samba to ignore the domain SID mismatch or force samba to have the same SID as the LDAP? Or would this cause
Re: [Samba] Samba+LDAP: NT_STATUS_UNSUCCESSFUL because of primary group SID mismatch
You might look into net getlocalsid, net getdomainsid, net setlocalsid and net setdomainsid commands, you may be able to set the samba servers the same as your ldap sid... just a though. Remember, messing around with SID's can cause major issues, so export all sids to file and be ready set them back if everything goes wrong. (net getdomainsid sidbackup.txt to export them on the samba side of things) Ricky On Thu, Jun 20, 2013 at 8:04 AM, Gaiseric Vandal gaiseric.van...@gmail.comwrote: If I follow correctly the LDAP server is NOT in the domain? The Samba accounts should be using the SID of the Samba PDC not the SID of the LDAP server. This of course means that a Samba member server can't use the same LDAP back end (at least for Samba authentication.) Long and short - I found it easiest to have LDAP server on the same machine as the DC. I have one PDC and one BDC (sometimes 2 BDC's.) Each PDC uses its own ldap server and the ldap servers are configure for replication. The simplest solution may be to set the local and domain sid of the LDAP server to the same sid as the DC, and join the LDAP server to the domain as a DC. On 06/20/13 04:26, Philipp Lies wrote: Hi, I'm trying to get my new samba server running for a few days now and I start losing my mind over not figuring out what I'm doing wrong. Here's my setup: OpenLDAP 2.4.21 server with ~15 groups and 100 users, all having a unix and a samba NT password stored in the LDAP as well as a User SID and Primary Group SID assigned and stored in the LDAP, derived from the SID of the LDAP Server. Now I want several samba servers to use the LDAP server to authenticate users. One samba server is a CentOS 6.3 configured with NSS/PAM using the ldap server. getent passwd/group returns all users and ssh to the samba machine works for all users. Samba is v3.6.9-151.el6. Now here's the smb.conf (I removed the shares): [global] workgroup = X security = user passdb backend = ldapsam:ldap://myldapserver ldap suffix = dc=mydomain,dc=com ldap admin dn = cn=replicator,dc=mydomain,dc=**com ldap user suffix = ou=users ldap group suffix = ou=groups ldap machine suffix = ou=computers ldap ssl = start tls The ldap connection works, as `pdbedit -L` shows pm_process() returned Yes smbldap_search_domain_info: Searching for:[((objectClass=**sambaDomain)(sambaDomainName=**SAMBAHOSTNAME))] StartTLS issued: using a TLS connection smbldap_open_connection: connection opened ldap_connect_system: successful connection to the LDAP server The LDAP server is successfully connected smbldap_search_paged: base = [dc=mydomain,dc=com], filter = [((uid=*)(objectclass=**sambaSamAccount))],scope = [2], pagesize = [1024] smbldap_search_paged: search was successful sid S-1-5-21-[LDAPSID]-5168 does not belong to our domain and then the last message repeats for all uids. Using `smbclient -L localhost -U someid` the log file says: check_ntlm_password: Checking password for unmapped user [XXX]\[someid]@[SAMBAHOST] with the new password interface check_ntlm_password: mapped user is: [SAMBAHOST]\[someid]@[** SAMBAHOST] StartTLS issued: using a TLS connection smbldap_open_connection: connection opened ldap_connect_system: successful connection to the LDAP server The LDAP server is successfully connected init_sam_from_ldap: Entry found for user: someid Home server: SAMBAHOST Home server: SAMBAHOST init_group_from_ldap: Entry found for group: 1011 init_group_from_ldap: Entry found for group: 1011 Primary group S-1-5-21-[LDAPSID]-1000 for user someid is a UNKNOWN and not a domain group Forcing Primary Group to 'Domain Users' for someid ntlm_password_check: Checking NTLMv2 password with domain [CIN] sam_account_ok: Checking SMB password for user someid The primary group domain sid(S-1-5-21-[LOCALSID]-513) does not match the domain sid(S-1-5-21-[LDAPSID]) for someid(S-1-5-21-[LDAPSID]-**5708) check_sam_security: make_server_info_sam() failed with 'NT_STATUS_UNSUCCESSFUL' check_ntlm_password: Authentication for user [someid] - [someid] FAILED with error NT_STATUS_UNSUCCESSFUL What I see here is that the samba server does not recognize the primary group of the user (which is an existing group in the LDAP) and therefor maps the primary group to its local Domain Users group which then obviously does not match the domainSID of the userid. But why doesn't the samba server recognize the group? Or is there a different underlying problem? What I tried so far: Changing the SID of the samba server to the SID of the LDAP server, but `net setlocalsid S-...` did not change the local SID. No error message, just executed successfully but getlocalsid returned the old SID. Setting the domainsid of the samba server to the
Re: [Samba] Samba+LDAP: NT_STATUS_UNSUCCESSFUL because of primary group SID mismatch
OK. I understand (at least a little better.) So the correct behaviour would be for the standalone workgroup machines to say I don't know who DOMAIN/user1 is, so I will map to local user1. The standalone servers should be using LDAP for unix accounts put I don't think you really should use the common LDAP backend for samba accounts.You would need to use smbpasswd or pdbedit to create local samba users on each member server, which means the member server would each use a local tdb database not ldap for samba. If you want to centralize the samba accounts I think the proper way would be to use member servers. That being said, if the current set up is working on some machines but not others, I would run testparm -v on each domain member and see if there are differences on mapping behavior. Different os's may have slightly different versions of samba and the default smb.conf paramaters may have changed. Also run net groupmap list on each member server. You may need to explicitly set group mappings for key windows groups.(i.e. the group sid maps to a unix group.) e.g. # net groupmap list ... Administrators (S-1-5-32-544) - Builtin Admins Users (S-1-5-32-545) - Builtin Users getent group Builtin Admins Builtin Admins::544: # getent group Builtin Admins On 06/20/13 10:40, Philipp Lies wrote: On 20.06.2013 15:04, Gaiseric Vandal wrote: If I follow correctly the LDAP server is NOT in the domain? The Samba accounts should be using the SID of the Samba PDC not the SID of the LDAP server. This of course means that a Samba member server can't use the same LDAP back end (at least for Samba authentication.) The LDAP server is the PDC, however, there are no domain members. All my samba servers are standalone servers which are not domain members. This seems to work nicely with my debian machines but not the centos ones. On 06/20/13 04:26, Philipp Lies wrote: Hi, I'm trying to get my new samba server running for a few days now and I start losing my mind over not figuring out what I'm doing wrong. Here's my setup: OpenLDAP 2.4.21 server with ~15 groups and 100 users, all having a unix and a samba NT password stored in the LDAP as well as a User SID and Primary Group SID assigned and stored in the LDAP, derived from the SID of the LDAP Server. Now I want several samba servers to use the LDAP server to authenticate users. One samba server is a CentOS 6.3 configured with NSS/PAM using the ldap server. getent passwd/group returns all users and ssh to the samba machine works for all users. Samba is v3.6.9-151.el6. Now here's the smb.conf (I removed the shares): [global] workgroup = X security = user passdb backend = ldapsam:ldap://myldapserver ldap suffix = dc=mydomain,dc=com ldap admin dn = cn=replicator,dc=mydomain,dc=com ldap user suffix = ou=users ldap group suffix = ou=groups ldap machine suffix = ou=computers ldap ssl = start tls The ldap connection works, as `pdbedit -L` shows pm_process() returned Yes smbldap_search_domain_info: Searching for:[((objectClass=sambaDomain)(sambaDomainName=SAMBAHOSTNAME))] StartTLS issued: using a TLS connection smbldap_open_connection: connection opened ldap_connect_system: successful connection to the LDAP server The LDAP server is successfully connected smbldap_search_paged: base = [dc=mydomain,dc=com], filter = [((uid=*)(objectclass=sambaSamAccount))],scope = [2], pagesize = [1024] smbldap_search_paged: search was successful sid S-1-5-21-[LDAPSID]-5168 does not belong to our domain and then the last message repeats for all uids. Using `smbclient -L localhost -U someid` the log file says: check_ntlm_password: Checking password for unmapped user [XXX]\[someid]@[SAMBAHOST] with the new password interface check_ntlm_password: mapped user is: [SAMBAHOST]\[someid]@[SAMBAHOST] StartTLS issued: using a TLS connection smbldap_open_connection: connection opened ldap_connect_system: successful connection to the LDAP server The LDAP server is successfully connected init_sam_from_ldap: Entry found for user: someid Home server: SAMBAHOST Home server: SAMBAHOST init_group_from_ldap: Entry found for group: 1011 init_group_from_ldap: Entry found for group: 1011 Primary group S-1-5-21-[LDAPSID]-1000 for user someid is a UNKNOWN and not a domain group Forcing Primary Group to 'Domain Users' for someid ntlm_password_check: Checking NTLMv2 password with domain [CIN] sam_account_ok: Checking SMB password for user someid The primary group domain sid(S-1-5-21-[LOCALSID]-513) does not match the domain sid(S-1-5-21-[LDAPSID]) for someid(S-1-5-21-[LDAPSID]-5708) check_sam_security: make_server_info_sam() failed with 'NT_STATUS_UNSUCCESSFUL' check_ntlm_password: Authentication for user [someid] - [someid] FAILED with error
Re: [Samba] Samba + LDAP: Issue adding machine.
I would compare the LDAP attributes between a problem machine and a working machine.Each machine has to have a unique unix account name and SID. Normally you don't need to precreate the samba acct with smbpasswd -a -m or pdbedit. However it may help with the diagnostics to see what is not getting created. If you use smbpasswd or pdbedit to create the account, then use the ldap editor to fill in the missing attributes then you should be able to join the domain. Also double check that machine accounts are not being created in some other LDAP ou than you expected.you might be trying to fix one ldap entry while samba is creating one somewhere else. It gets tricky when you use smbpasswd or pdbedit to create an account and it sees some attributes ther On 06/14/13 07:49, Luis H. Forchesatto wrote: Hi Gaiseric Thanks for the reply. I believe the problem is not the flags but I will check them again as you suggested. I've found quite annoying this problem because is not on my network, it's on a remote network and I need to move physically to another place in order to test the environment, quite boring also. Regarding the sambaPrimaryGroupSID I'll check again but I believe it MAY be the problem :) Also, can this cause this problem? Another machine was already created previously... something like? 2013/6/10 Gaiseric Vandal gaiseric.van...@gmail.com mailto:gaiseric.van...@gmail.com I found that Samba 3.5.x has trouble creating the LDAP attributes correctly on new machine accounts . I think Samba 3.4.x was OK. Rejoining a machine to a domain was usually OK. You need may need to do a mix of account creation with smbpasswd and LDAP modification with the LDAP editor. It appears to incorrectly set sambaAccountFlags as [U] (user) instead of [W] (workstation). When attempting to join a machine to the domain you may get an error that the account already exists. Use an LDAP editor to make sure sambaAccountFlags is set to [W]. (You can used pbedit to verify the setting but not to change it to [W].) type: sambaAccountFlags value: [W ] If, when joining a domain, you get an error that the the specified network password is not correct. you may need to precreate the samba account attribues with the pdbedit or smbpasswd commands .Try the following on spooky #smbpasswd -x -m machinename #smbpasswd -a -m machinename You MAY also need to make sure that the sambaPrimaryGroupSID is also set. It should end with 515. type: sambaPrimaryGroupSID value:S-1-5-21-xxx-xxx-xxx-515 On 06/10/13 08:33, Luis H. Forchesatto wrote: Greetings. I've run into a trouble when trying to add a new Win7 machine on a domain. The domain is controlled by a server running Samba + LDAP (samba compiled with ldap support), on a Debian 5 OS at the local network. I've added the machine name to the LDAP three through phpldapadmin using the option Samba3 Machine on the related submenu and via terminal on samba. Then I renamed the new machine to match the computer name and tried to add it to the domain. When prompted for credentials to add the new machine I've informed the admin login and password and hit enter. The windows then returned the following error (something like): The junction operation was not well succeded. Maybe another existent machine account machine_account_name was created previously using anothet set of credentials. User another computer name or contact the admin to remove any obsolete conflicting account. Error: Access denied. Any ideas for the troubleshoot will be welcome. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- Att.* * Luis H. Forchesatto -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba + LDAP: Issue adding machine.
I found that Samba 3.5.x has trouble creating the LDAP attributes correctly on new machine accounts . I think Samba 3.4.x was OK. Rejoining a machine to a domain was usually OK. You need may need to do a mix of account creation with smbpasswd and LDAP modification with the LDAP editor. It appears to incorrectly set sambaAccountFlags as [U] (user) instead of [W] (workstation). When attempting to join a machine to the domain you may get an error that the account already exists. Use an LDAP editor to make sure sambaAccountFlags is set to [W]. (You can used pbedit to verify the setting but not to change it to [W].) type: sambaAccountFlags value: [W ] If, when joining a domain, you get an error that the the specified network password is not correct. you may need to precreate the samba account attribues with the pdbedit or smbpasswd commands .Try the following on spooky #smbpasswd -x -m machinename #smbpasswd -a -m machinename You MAY also need to make sure that the sambaPrimaryGroupSID is also set. It should end with 515. type: sambaPrimaryGroupSID value:S-1-5-21-xxx-xxx-xxx-515 On 06/10/13 08:33, Luis H. Forchesatto wrote: Greetings. I've run into a trouble when trying to add a new Win7 machine on a domain. The domain is controlled by a server running Samba + LDAP (samba compiled with ldap support), on a Debian 5 OS at the local network. I've added the machine name to the LDAP three through phpldapadmin using the option Samba3 Machine on the related submenu and via terminal on samba. Then I renamed the new machine to match the computer name and tried to add it to the domain. When prompted for credentials to add the new machine I've informed the admin login and password and hit enter. The windows then returned the following error (something like): The junction operation was not well succeded. Maybe another existent machine account machine_account_name was created previously using anothet set of credentials. User another computer name or contact the admin to remove any obsolete conflicting account. Error: Access denied. Any ideas for the troubleshoot will be welcome. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba, LDAP and replica
On 26/12/2012 22:33, Andrew Bartlett wrote: On Wed, 2012-12-26 at 08:36 -0200, TI wrote: Hi Guys, I have six Linux Servers running Samba 3 as PDC of our domain, in different locations. They are integrated through LDAP (which is configured to replicate over our VPN) and all responds to the same domain. So, wherever the user is, he will log in the same domain name. Now I'am planning to migrate to Samba 4. As Samba 4 manages it´s LDAP internally, what is the best approach to keep the same design I have today? Samba 4.0 can continue as-is, using your existing LDAP configuration, if you wish to maintain a 'classic' domain. To upgrade to an AD domain, you will need of course to use our internal LDAP. This is naturally multi-master replicated, so it should 'just work'. https://wiki.samba.org/index.php/Samba4/HOWTO#Migrating_an_Existing_Samba3_Domain_to_Samba4 https://wiki.samba.org/index.php/Samba4/HOWTO/Join_a_domain_as_a_DC The main thing to watch out is just as with Samba classic domains, the [netlogon] share (and [sysvol] in the AD case) is not replicated by Samba - you have to sync any changes around manually (eg rsync). We do have some support for the concept of Sites, but it isn't totally complete. So, you may wish to investigate closely to ensure it does enough to avoid swamping your VPN links. I wish you the very best with your upgrade. Feel free to come back with any issues you may have. Hi Andrew, We use the same kind of setup. We do extensively use ldap for sudo, automount, lemonldap, ... a bunch of services. Can we basically keep our LDAP directory without altering the schema and still benefit of samba4 features ? If this is completely ruled out, is there a smooth migration path to keep all those info in a LDAP directory (wether samba internal or external) ? Thanks -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba, LDAP and replica
On Wed, 2012-12-26 at 08:36 -0200, TI wrote: Hi Guys, I have six Linux Servers running Samba 3 as PDC of our domain, in different locations. They are integrated through LDAP (which is configured to replicate over our VPN) and all responds to the same domain. So, wherever the user is, he will log in the same domain name. Now I'am planning to migrate to Samba 4. As Samba 4 manages it´s LDAP internally, what is the best approach to keep the same design I have today? Samba 4.0 can continue as-is, using your existing LDAP configuration, if you wish to maintain a 'classic' domain. To upgrade to an AD domain, you will need of course to use our internal LDAP. This is naturally multi-master replicated, so it should 'just work'. https://wiki.samba.org/index.php/Samba4/HOWTO#Migrating_an_Existing_Samba3_Domain_to_Samba4 https://wiki.samba.org/index.php/Samba4/HOWTO/Join_a_domain_as_a_DC The main thing to watch out is just as with Samba classic domains, the [netlogon] share (and [sysvol] in the AD case) is not replicated by Samba - you have to sync any changes around manually (eg rsync). We do have some support for the concept of Sites, but it isn't totally complete. So, you may wish to investigate closely to ensure it does enough to avoid swamping your VPN links. I wish you the very best with your upgrade. Feel free to come back with any issues you may have. Thanks, Andrew Bartlett -- Andrew Bartletthttp://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba/LDAP appliance recommendation
Am Mon, 17 Sep 2012 04:35:39 +0800 schrieb Jeffrey Chan: Hi all, What's a good Samba+LDAP appliance these days for a small business? not using it myself: http://www.univention.de/ http://www.zentyal.org/ - Thomas -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba/LDAP appliance recommendation
On Mon, 2012-09-17 at 04:35 +0800, Jeffrey Chan wrote: Hi all, What's a good Samba+LDAP appliance these days for a small business? Currently I used a stock Ubuntu server and did all Samda/LDAP configuration manually. I'm looking for something that can allow my regular staff to use as well. 1. I tried most of the popular NAS distros, like FreeNAS, NAS4Free, OpenmediaVault, etc. Most of these NAS don't have an LDAP server built-in 2. I tried Openfiler, ClearOS and Zentyal which do have LDAP server built-in but I haven't gotten them to import my existing Samba/LDAP data yet. WIP. 3. I just discovered Artica NAS Appliance and Univention UCS, will be testing them this week. Do you guys know anything about these two distros? Sometimes I wonder if I even need LDAP, I migrated to LDAP before only to make it a little easier (though not by much) to edit samba account data (e.g. SID). I guess I'd like to have centralized authentication as well (clients include Windows, Mac OSX and Linux, maybe OpenVPN as well). Is there a simpler mode of centralized login operation? Or is LDAP the only viable solution? Samba 4.0 as an AD DC would be a good choice. Andrew Bartlett -- Andrew Bartletthttp://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba+LDAP: Minimal permissions for sambaLMPassword/sambaNTPassword attributes?
On Tuesday, 31.07.2012 at 12:11 +0200, Arokux B. wrote: what are the minimum permissions for the attributes sambaLMPassword/sambaNTPassword for the the LDAP administrator account so that Samba is just enabled to use it for authentication with ldapsam backend. It seems like auth is not enough, is this true?! Unlike a direct LDAP bind for a user when one can be sufficient with just detecting a successful bind, Samba needs to be able to compare the stored sambaLMPassword/sambaNTPassword hashes with the hash provided by the client. That requires 'read' access at a minimum. (For password changes via this avenue, I believe you'd need 'write', although I'm less certain about that: might depend on the password change mechanism being used.) Dave. -- Dave Ewart da...@ceu.ox.ac.uk Computing Manager, Cancer Epidemiology Unit University of Oxford / Cancer Research UK N 51.7516, W 1.2152 signature.asc Description: Digital signature -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba / LDAP : map uid to another field ?
I found « username map [script] » directive in smb.conf man page. I've tested P1234=jdoe and it's works. Next is to make a one line script to make this dynamic ^^ Another solution was to make a proxy LDAP instead of a replica. Thanks for the help ! If anyone have another idea, i'm open :) 2012/5/24 Sylvain debian.r...@gmail.com Unfortunaly, I cannot do this since the two attributes are different meaning and are used in another applications so maybe with a local LDAP replica and use of your tricks will works. I will try if there are no Samba solutions. Thanks :) 2012/5/24 miguelmeda...@sapo.pt I am not sure if you can act on the samba side. Maybe you should think the other way around. You can map one attribute to another inside the LDAP server. You would use the map attribute directive to map eduPersonPrincipalName to uid. Both logins would then authenticate against uid. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba / LDAP : map uid to another field ?
I am not sure if you can act on the samba side. Maybe you should think the other way around. You can map one attribute to another inside the LDAP server. You would use the map attribute directive to map eduPersonPrincipalName to uid. Both logins would then authenticate against uid. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba / LDAP : map uid to another field ?
Unfortunaly, I cannot do this since the two attributes are different meaning and are used in another applications so maybe with a local LDAP replica and use of your tricks will works. I will try if there are no Samba solutions. Thanks :) 2012/5/24 miguelmeda...@sapo.pt I am not sure if you can act on the samba side. Maybe you should think the other way around. You can map one attribute to another inside the LDAP server. You would use the map attribute directive to map eduPersonPrincipalName to uid. Both logins would then authenticate against uid. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba LDAP Failover
Am 02.04.2012 07:43, schrieb Massimiliano Perantoni: Hi, the distribution is a Debian 6 but I compiled samba myself against a self compiled openldap 2.4.26. Actually the only difference is the openldap client libraries version, I do use 2.3 instead of 2.4, but using getent, as I stated before, works... If I do getent passwd I get, with the failure, the immediate list of local users and, after a timeout, I get the users list from the secondary LDAP. I guess that nscd is working or, at least, the service is up and running: never understood how does the system decide to use it or not... For what I know if I disable the service nothing changes, so that I do not know if nscd is working or not... If I stop the LDAP I get the failover with getent, but I have to wait for the timeout set in ldap.conf. I honestly don't know what's going on there. I just wanted to make sure that at getent is really working and doesn't just look that way because nscd masks the problem. I guess your secondary 389 server doesn't show a connection attempt in the log when you simulate the failure of your first server ? You wrote that you don't use ssl - is this also true in ldap.conf ? The passdb backend line doesn't look different than yours (except the server names of course ;-)). You are not running nscd by chance ? If so does getent passwd work with a simulated ldap1 failure (via iptables) and nscd shut down ? I get a timeout seconds (actualy 5 secs) delay... Then the answer, while samba waits for the timeout set in smb.conf then fails. Ciao a grazie! Am 01.04.2012 23:47, schrieb Massimiliano Perantoni: Hi, could you send me the setup? Which lines did you add? Whici distro do you run? Thanks! Il 31 marzo 2012 22:11, Stephansteff...@gmx.deha scritto: Am 31.03.2012 20:56, schrieb Steve Thompson: On Sat, 31 Mar 2012, Massimiliano Perantoni wrote: Well, did not try, but guess it happens the same. Just for completeness, which version of samba did you use for ldap failover? I was using 3.0.33 at the time, on CentOS 5 x86_64. Not sure which revision of CentOS; it was a while ago. Steve My samba 3.5.9 DCs are pointed at a bunch of LDAP servers as well. I just tried (shut down the first LDAP server in the list) and it works as expected. Regards Stephan -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba LDAP Failover
Hi, could you send me the setup? Which lines did you add? Whici distro do you run? Thanks! Il 31 marzo 2012 22:11, Stephan steff...@gmx.de ha scritto: Am 31.03.2012 20:56, schrieb Steve Thompson: On Sat, 31 Mar 2012, Massimiliano Perantoni wrote: Well, did not try, but guess it happens the same. Just for completeness, which version of samba did you use for ldap failover? I was using 3.0.33 at the time, on CentOS 5 x86_64. Not sure which revision of CentOS; it was a while ago. Steve My samba 3.5.9 DCs are pointed at a bunch of LDAP servers as well. I just tried (shut down the first LDAP server in the list) and it works as expected. Regards Stephan -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- Massimiliano Perantoni http://www.perantoni.net tw: maxper75 -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba LDAP Failover
Hey, the distribution is a Debian 6 but I compiled samba myself against a self compiled openldap 2.4.26. The passdb backend line doesn't look different than yours (except the server names of course ;-)). You are not running nscd by chance ? If so does getent passwd work with a simulated ldap1 failure (via iptables) and nscd shut down ? Am 01.04.2012 23:47, schrieb Massimiliano Perantoni: Hi, could you send me the setup? Which lines did you add? Whici distro do you run? Thanks! Il 31 marzo 2012 22:11, Stephansteff...@gmx.de ha scritto: Am 31.03.2012 20:56, schrieb Steve Thompson: On Sat, 31 Mar 2012, Massimiliano Perantoni wrote: Well, did not try, but guess it happens the same. Just for completeness, which version of samba did you use for ldap failover? I was using 3.0.33 at the time, on CentOS 5 x86_64. Not sure which revision of CentOS; it was a while ago. Steve My samba 3.5.9 DCs are pointed at a bunch of LDAP servers as well. I just tried (shut down the first LDAP server in the list) and it works as expected. Regards Stephan -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba LDAP Failover
Hi, the distribution is a Debian 6 but I compiled samba myself against a self compiled openldap 2.4.26. Actually the only difference is the openldap client libraries version, I do use 2.3 instead of 2.4, but using getent, as I stated before, works... If I do getent passwd I get, with the failure, the immediate list of local users and, after a timeout, I get the users list from the secondary LDAP. I guess that nscd is working or, at least, the service is up and running: never understood how does the system decide to use it or not... For what I know if I disable the service nothing changes, so that I do not know if nscd is working or not... If I stop the LDAP I get the failover with getent, but I have to wait for the timeout set in ldap.conf. The passdb backend line doesn't look different than yours (except the server names of course ;-)). You are not running nscd by chance ? If so does getent passwd work with a simulated ldap1 failure (via iptables) and nscd shut down ? I get a timeout seconds (actualy 5 secs) delay... Then the answer, while samba waits for the timeout set in smb.conf then fails. Ciao a grazie! Am 01.04.2012 23:47, schrieb Massimiliano Perantoni: Hi, could you send me the setup? Which lines did you add? Whici distro do you run? Thanks! Il 31 marzo 2012 22:11, Stephansteff...@gmx.de ha scritto: Am 31.03.2012 20:56, schrieb Steve Thompson: On Sat, 31 Mar 2012, Massimiliano Perantoni wrote: Well, did not try, but guess it happens the same. Just for completeness, which version of samba did you use for ldap failover? I was using 3.0.33 at the time, on CentOS 5 x86_64. Not sure which revision of CentOS; it was a while ago. Steve My samba 3.5.9 DCs are pointed at a bunch of LDAP servers as well. I just tried (shut down the first LDAP server in the list) and it works as expected. Regards Stephan -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- Massimiliano Perantoni http://www.perantoni.net tw: maxper75 -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba LDAP Failover
I don't think Samba (depending on the version) supports multiple ldap backends.You should have samba_server_1 using ldap_server_1 and samba_server_2 using ldap_server_2. -Original Message- From: samba-boun...@lists.samba.org [mailto:samba-boun...@lists.samba.org] On Behalf Of Massimiliano Perantoni Sent: Saturday, March 31, 2012 6:12 AM To: samba@lists.samba.org Subject: [Samba] Samba LDAP Failover Hi, I have a quite simple setup for a particular customer that loves redundancy and failover. PDC + BDC with LDAP Passwords on two 389-ds in multimaster node + several samba member servers Actually pointing singularly on both the systems everything works great. As soon as I modify my passdb backend line from the single form to the form containing both backends that is from passdb backend = ldapsam:ldap://ldap1; or passdb backend = ldapsam:ldap://ldap2; to passdb backend = ldapsam:ldap://ldap1 ldap://ldap2; I still authenticate on the first LDAP, but as soon I shut this off with iptables -I OUTPUT -p tcp --dport 389 -d ldap1 -j REJECT #Simulates, from the samba machine a failure in the service and, yes it is simple plain ol' LDAP, no TLS I get a timeout and an auth failure. This is the way I reproduce the problem #with the first ldap reachable smbclient -L pdc-01 -U maxper Password: Domain: [XX] everything works fine iptables -I OUTPUT -p tcp --dport 389 -j DROP smbclient -L pdc-01 -U maxper answers session setup failed: NT_STATUS_LOGON_FAILURE getent passwd works OK, gives both local and ldap users after the timeout set in ldap.conf, while samba just drops the authentication after the committed param ldap timeout = 8 after 8 secs, samba drops and gives that error. Samba is version 3.4.15, while the distro is CentOS 5.4 any help would be appreciated! Ciao Massimiliano -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba LDAP Failover
The matter is that, since the manual indicates so, it should be supported and delegated to the ldap api in use... The openldap api supports rebinding. The proof of it is that if in /etc/ldap.conf I put in the uri 2 ldap servers everything works fine. The matter seems that samba, even using such an infrastructure, doesn't work. I'd like at least to know if it is some mistake I do or it is just deprecated/never supported, just to go in other directions implementing other failover-by-hand systems. Thanks! Il 31 marzo 2012 14:37, Gaiseric Vandal gaiseric.van...@gmail.com ha scritto: I don't think Samba (depending on the version) supports multiple ldap backends. You should have samba_server_1 using ldap_server_1 and samba_server_2 using ldap_server_2. -Original Message- From: samba-boun...@lists.samba.org [mailto:samba-boun...@lists.samba.org] On Behalf Of Massimiliano Perantoni Sent: Saturday, March 31, 2012 6:12 AM To: samba@lists.samba.org Subject: [Samba] Samba LDAP Failover Hi, I have a quite simple setup for a particular customer that loves redundancy and failover. PDC + BDC with LDAP Passwords on two 389-ds in multimaster node + several samba member servers Actually pointing singularly on both the systems everything works great. As soon as I modify my passdb backend line from the single form to the form containing both backends that is from passdb backend = ldapsam:ldap://ldap1; or passdb backend = ldapsam:ldap://ldap2; to passdb backend = ldapsam:ldap://ldap1 ldap://ldap2; I still authenticate on the first LDAP, but as soon I shut this off with iptables -I OUTPUT -p tcp --dport 389 -d ldap1 -j REJECT #Simulates, from the samba machine a failure in the service and, yes it is simple plain ol' LDAP, no TLS I get a timeout and an auth failure. This is the way I reproduce the problem #with the first ldap reachable smbclient -L pdc-01 -U maxper Password: Domain: [XX] everything works fine iptables -I OUTPUT -p tcp --dport 389 -j DROP smbclient -L pdc-01 -U maxper answers session setup failed: NT_STATUS_LOGON_FAILURE getent passwd works OK, gives both local and ldap users after the timeout set in ldap.conf, while samba just drops the authentication after the committed param ldap timeout = 8 after 8 secs, samba drops and gives that error. Samba is version 3.4.15, while the distro is CentOS 5.4 any help would be appreciated! Ciao Massimiliano -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba LDAP Failover
On Sat, 31 Mar 2012, Gaiseric Vandal wrote: I don't think Samba (depending on the version) supports multiple ldap backends.You should have samba_server_1 using ldap_server_1 and samba_server_2 using ldap_server_2. Samba most certainly does support multiple LDAP backends. There's even an example in the smb.conf(5) man page. Steve -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba LDAP Failover
I'm exactly using that, without luck... -- Massimiliano Perantoni site: http://www.perantoni.net Il 31 marzo 2012 15:35, Steve Thompson s...@vgersoft.com ha scritto: On Sat, 31 Mar 2012, Gaiseric Vandal wrote: I don't think Samba (depending on the version) supports multiple ldap backends. You should have samba_server_1 using ldap_server_1 and samba_server_2 using ldap_server_2. Samba most certainly does support multiple LDAP backends. There's even an example in the smb.conf(5) man page. Steve -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba LDAP Failover
On Sat, 31 Mar 2012, Massimiliano Perantoni wrote: I'm exactly using that, without luck... Not sure what to tell you; I have used multiple LDAP servers in the past with success, although these days I use a single virtual LDAP server which load balances across a set of backend servers. What happens if you actually shut down the first LDAP server rather than REJECT it? Steve -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba LDAP Failover
Well, did not try, but guess it happens the same. Just for completeness, which version of samba did you use for ldap failover? Il 31 marzo 2012 19:04, Steve Thompson s...@vgersoft.com ha scritto: On Sat, 31 Mar 2012, Massimiliano Perantoni wrote: I'm exactly using that, without luck... Not sure what to tell you; I have used multiple LDAP servers in the past with success, although these days I use a single virtual LDAP server which load balances across a set of backend servers. What happens if you actually shut down the first LDAP server rather than REJECT it? Steve -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba LDAP Failover
On Sat, 31 Mar 2012, Massimiliano Perantoni wrote: Well, did not try, but guess it happens the same. Just for completeness, which version of samba did you use for ldap failover? I was using 3.0.33 at the time, on CentOS 5 x86_64. Not sure which revision of CentOS; it was a while ago. Steve -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba LDAP Failover
Am 31.03.2012 20:56, schrieb Steve Thompson: On Sat, 31 Mar 2012, Massimiliano Perantoni wrote: Well, did not try, but guess it happens the same. Just for completeness, which version of samba did you use for ldap failover? I was using 3.0.33 at the time, on CentOS 5 x86_64. Not sure which revision of CentOS; it was a while ago. Steve My samba 3.5.9 DCs are pointed at a bunch of LDAP servers as well. I just tried (shut down the first LDAP server in the list) and it works as expected. Regards Stephan -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] samba+ldap
I'm trying to combine samba + ldap, I was successful in another attempt what motivated me to create one. deb package that would make the whole process, I installed this package, the ldap dit was created successfully but when I try to insert a Windows machine in the Domain I get the message that the Referred Domain does not exist or can not be contacted. The system log does not log connections slapd in compensation log.nmbd the reports that my domain is ok, since I thought that might be the fact that before I used samba compiladod manually - with-ldap, now thank you. Are you trying to join a Windows 7 machine to the domain? If so, please see this page: http://wiki.samba.org/index.php/Windows7 -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] samba ldap domain member server with cifs and nfs
On 27/02/12 12:01, Guilhem Souque wrote: t's seems that in samba 3.0.24 (debian etch) the uid in the idmap OU was the same that those in the USERS OU because i have some entry that are correct and i had domain member server in this samba version. Is there a way to synchronize unix uids with idmap uids? Hi We got bad mappings when nscd was cache-ing the wrong uids. In the end, we decided against winbind and took the uid:gid directly from ldap. Turn off nscd? Cheers, Steve -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] samba ldap domain member server with cifs and nfs
From: Guilhem Souque gsou...@artprice.com Date: Mon, 27 Feb 2012 12:01:50 +0100 I try to configure a domain member server on an other debian squeeze that will serve as cifs and nfs server. (snip) The unix uids provided by winbind are not the same than those used by the system (libnsss-ldap) winbind don't know the reel user uid. The result is that i can't use nfs with cifs because the system users uid (libnss-ldap) are different than those provided by winbind. it's seems that in samba 3.0.24 (debian etch) the uid in the idmap OU was the same that those in the USERS OU because i have some entry that are correct and i had domain member server in this samba version. Is there a way to synchronize unix uids with idmap uids? (snip) winbind trusted domains only = Yes winbind trusted domains only is somewhat deprecated. You should use idmap_nss instead. --- TAKAHASHI Motonobu mo...@samba.gr.jp -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba LDAP passthrough authentication to another openLDAP
On Thu, 2012-02-16 at 21:10 +0800, Fajar Priyanto wrote: Hi all, I have a setup like this. Pls let me know if it's possible or not. SAMBA + Local LDAP --- SASLAUTHD -- Global LDAP No. Samba uses the sambaNTPassword attribute in it's LDAP schema which is a crypt of the password. You may be able to get plain-text authentication to work but only by adjusting Samba *and* hacking the registry on every client. Desc: I'd like to do Samba authentication to LDAP, passthrough to another LDAP using SASL. The current situation is: SSH authentication from LDAP user to that Samba box works. That doesn't involve Samba unless you are using Kerberos or something like pam_winbind / pam_smbpasswd [I don't even know which if any of those are currently 'active']. However, smb authentication doesn't work (yet). This is what's shown in syslog when doing Samba authentication: Feb 16 20:47:05 sglabldap slapd[1393]: = access_allowed: read access to uid=fajar,ou=people,dc=example,dc=com userPassword requested Looks like pam_ldap authentication to me. There may be a way to proxy authentication via LDAP [there are jillions of things you can do with LDAP] but I doubt involving saslauthd [plain text authentication] is going to work very well. -- System Network Administrator [ LPI NCLA ] http://www.whitemiceconsulting.com OpenGroupware Developer http://www.opengroupware.us Adam Tauno Williams -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba, ldap, password complexity, cracklib - questions
On Thu, 2012-02-02 at 15:00 +0100, Götz Reinicke wrote: --ms020400080806080209020400 Content-Type: text/plain; charset=ISO-8859-15 Content-Transfer-Encoding: quoted-printable Hallo, we run a Redhat samba 3.5.4 PDC with openldap 2.4 as user/passwordbackend. The ldap also contains the posix information for the users to login to some web/mail/etc. servers. I'm faced with the task to implement a 'both worlds' compatible paswword sync process regarding complexity etc. For the posix account password we use a webfrontend, configure to use pam/cracklib checks which works fine. E.g. 'hello' is NOT allowed as password :-) Checking the password change from a windows 7 / XP notebook reveals, that there is not such a complexity check used. E.g. 'hello' IS allowed as a users password. :-( Password syncing (posix - windows) works. That means changing from the web or windows changes both ldap entries. My question: can someone point me to some docs or can someone explain how I can use (the same/a) camplexity check when changing passwords from windows? check password script = /usr/local/sbin/crackcheck -c -s Not sure where I got crackcheck from; it is a compiled binary. -- System Network Administrator [ LPI NCLA ] http://www.whitemiceconsulting.com OpenGroupware Developer http://www.opengroupware.us Adam Tauno Williams -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba, ldap, password complexity, cracklib - questions
On 2012-02-02 15:08, Adam Tauno Williams wrote: check password script = /usr/local/sbin/crackcheck -c -s Not sure where I got crackcheck from; it is a compiled binary. I think you got it from the samba tar ball: https://lists.samba.org/archive/samba/2011-September/164089.html -- Message sent via my webmail account. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba/LDAP/Win7 Domain Admins could not log in
The Samba wiki page related to the use of Windows 7 with Samba contains the following statements: « There are currently two registry settings required to be added on the Windows 7 client prior to joining a Samba Domain. These are: HKLM\System\CCS\Services\LanmanWorkstation\Parameters DWORD DomainCompatibilityMode = 1 DWORD DNSNameResolutionRequired = 0 » AND: « Do *not* edit any other registry parameters (NETLOGON) that have been seen in the wild. If you have already modified your Windows 7 registry, please make sure to reset the keys to their default values. If you have changed the NETLOGON Parameters, make sure and turn them back to '1' as shown below: » The quoted page resides here: http://wiki.samba.org/index.php/Windows7 -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba + LDAP + SMBLDAP-Tools + Roaming Profiles
Am 04.08.2011 12:09, schrieb J. Echter: Am 03.08.2011 18:43, schrieb TAKAHASHI Motonobu: From: J. Echterj.ech...@elektro-mayer-echter.de Date: Tue, 02 Aug 2011 14:12:05 +0200 I thought im done setting domain to WORKGROUP, as its set in smbldap.conf. I don't get why smbldap tools thinks im on a domain called BDC. Would it help if i post some output from pdbedit or stuff like that? I really don't get where this error comes from. Have you set the SID same as PDC on BDC? For example - bdc# net rpc getsid Storing SID S-1-5-21-2535719703-1779805756-2758924810 for Domain DomanName in secrets.tdb - Remembet that before running the command, you have to set smb.conf correctly as BDC. here's the conf of my testing smb machine: [global] domain master = no domain logons = no passdb backend = ldapsam:ldap://mule idmap backend = ldap:ldap://mule idmap uid = 1-15000 idmap gid = 1-15000 You have to set domain logons = yes to make this machine act as BDC. And are you running Winbind? If not, idmap backend/uid/gid does not mean anything. there's something wrong with my config... the successful logins are only able because the users are already there as local unix accounts. i created a new user 'test' and this one can't even login. Have you correctly set nss-ldap on BDC? For example /etc/nss_ldap.conf getent passwda-user-created-on-PDC on BDC shows his entry? --- TAKAHASHI Motonobumo...@samba.gr.jp ok, im sorry. im stupid. i overlooked that i disabled domain logons... now its showing the right domain with pdbedit -v thanks a lot. now im trying to logon again... cheers. so, i now have nsswitch, ldap and samba working... almost :) i added an test user, and created a testshare with valid users = test pdbedit -v test (all on bdc, users created on pdc) Unix username:test NT username: test Account Flags:[U ] User SID: S-1-5-21-3842863818-2180709222-141296495-3178 Primary Group SID:S-1-5-21-3842863818-2180709222-141296495-513 Full Name:test Home Directory: \\mule\test HomeDir Drive:H: Logon Script: test.bat Profile Path: \\mule\profile\test Domain: WORKGROUP Account desc: Workstations: Munged dial: Logon time: 0 Logoff time: never Kickoff time: never Password last set:Fr, 05 Aug 2011 08:49:26 CEST Password can change: Fr, 05 Aug 2011 08:49:26 CEST Password must change: never Last bad password : 0 Bad password count : 0 Logon hours : FF getent passwd: test:x:1089:513:System User:/home/test:/bin/false getent group: Domain Admins:*:512:Administrator Domain Users:*:513: Domain Guests:*:514: Domain Computers:*:515: if i try to access the share, windows xp keeps asking for my password. /var/log/samba/log.smbd tells me: pdb_get_group_sid: Failed to find Unix account for test [2011/08/05 09:44:02, 0] auth/auth_sam.c:355(check_sam_security) check_sam_security: make_server_info_sam() failed with 'NT_STATUS_NO_SUCH_USER' whats wrong now? thanks for helping me. still lost. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba + LDAP + SMBLDAP-Tools + Roaming Profiles
Am 03.08.2011 18:43, schrieb TAKAHASHI Motonobu: net rpc getsid hi, yes i did this step and just repeated it to be sure. sudo net rpc getsid bdc: [sudo] password for bdc: Storing SID S-1-5-21-3842863818-2180709222-141296495 for Domain WORKGROUP in secrets.tdb pdc: sudo smbldap-useradd -a test bdc: pdbedit -v test Unix username:test NT username: test Account Flags:[UX ] User SID: S-1-5-21-3842863818-2180709222-141296495-3174 Primary Group SID:(NULL SID) Full Name:test Home Directory: \\pdc\test HomeDir Drive:H: Logon Script: test.bat Profile Path: \\pdc\profiles\test Domain: BDC Account desc: Workstations: Munged dial: Logon time: 0 Logoff time: never Kickoff time: never Password last set:0 Password can change: 0 Password must change: 0 Last bad password : 0 Bad password count : 0 Logon hours : FF im completely lost, as you surely mentioned :) greetings and thanks juergen. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba + LDAP + SMBLDAP-Tools + Roaming Profiles
Am 03.08.2011 18:43, schrieb TAKAHASHI Motonobu: From: J. Echterj.ech...@elektro-mayer-echter.de Date: Tue, 02 Aug 2011 14:12:05 +0200 I thought im done setting domain to WORKGROUP, as its set in smbldap.conf. I don't get why smbldap tools thinks im on a domain called BDC. Would it help if i post some output from pdbedit or stuff like that? I really don't get where this error comes from. Have you set the SID same as PDC on BDC? For example - bdc# net rpc getsid Storing SID S-1-5-21-2535719703-1779805756-2758924810 for Domain DomanName in secrets.tdb - Remembet that before running the command, you have to set smb.conf correctly as BDC. here's the conf of my testing smb machine: [global] domain master = no domain logons = no passdb backend = ldapsam:ldap://mule idmap backend = ldap:ldap://mule idmap uid = 1-15000 idmap gid = 1-15000 You have to set domain logons = yes to make this machine act as BDC. And are you running Winbind? If not, idmap backend/uid/gid does not mean anything. there's something wrong with my config... the successful logins are only able because the users are already there as local unix accounts. i created a new user 'test' and this one can't even login. Have you correctly set nss-ldap on BDC? For example /etc/nss_ldap.conf getent passwda-user-created-on-PDC on BDC shows his entry? --- TAKAHASHI Motonobumo...@samba.gr.jp ok, im sorry. im stupid. i overlooked that i disabled domain logons... now its showing the right domain with pdbedit -v thanks a lot. now im trying to logon again... cheers. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba + LDAP + SMBLDAP-Tools + Roaming Profiles
Am 02.08.2011 14:54, schrieb J. Echter: Am 02.08.2011 14:40, schrieb Julien Celle: Le 02/08/2011 14:22, J. Echter a écrit : Am 02.08.2011 14:06, schrieb Julien Celle: pdbedit output indicates that the profile is stored on '\\pdc...' and that the user is defined on the domain 'BDC'. oh i forgot, profiles are on \\pdc. cheers. Hi, There may be a problem trying to access your profiles on \\pdc while authenticating against \\bdc. Your users try to access a share without giving your PDC credentials it can validate. Try moving your profile for your user test to \\bdc\profile... You could also post your whole smb.conf for your BDC. Cheers, Julien. first both of my configs... BDC: [global] domain master = no domain logons = yes passdb backend = ldapsam:ldap://mule idmap backend = ldap:ldap://mule idmap uid = 1-15000 idmap gid = 1-15000 ldap suffix = dc=workgroup,dc=local ldap user suffix = ou=smb-usr ldap group suffix = ou=groups ldap machine suffix = ou=computers ldap idmap suffix = ou=idmap ldap admin dn = cn=admin,dc=workgroup,dc=local ldap ssl = no ldap passwd sync = yes printing = bsd netbios name = BDC server string = BDC (%h) workgroup = workgroup interfaces = eth0,lo security = user encrypt passwords = true map to guest = bad user guest account = nobody logon path = \\pdc\profile\%U logon script = %U.bat logon drive = H: panic action = /usr/share/samba/panic-action %d PDC: [global] printing = bsd netbios name = PDC server string = PDC (%h) workgroup = workgroup interfaces = eth0,lo security = user encrypt passwords = true map to guest = bad user guest account = nobody ## LDAP passdb backend = ldapsam:ldap://127.0.0.1 idmap backend = ldap:ldap://127.0.0.1 idmap uid = 1-15000 idmap gid = 1-15000 ldap suffix = dc=workgroup,dc=local ldap user suffix = ou=smb-usr ldap group suffix = ou=groups ldap machine suffix = ou=computers ldap idmap suffix = ou=idmap ldap admin dn = cn=admin,dc=workgroup,dc=local ldap ssl = no ldap passwd sync = yes add machine script = /usr/sbin/smbldap-useradd -t 0 -w %u add user script = /usr/sbin/smbldap-useradd -a '%u' delete user script = /usr/sbin/smbldap-userdel %u add group script = /usr/sbin/smbldap-groupadd -a '%g' delete group script = /usr/sbin/smbldap-groupdel '%g' add user to group script = /usr/sbin/smbldap-groupmod -m '%u' '%g' delete user from group script = /usr/sbin/smbldap-groupmod -x '%u' '%g' set primary group script = /usr/sbin/smbldap-usermod -g '%g' '%u' local master = yes preferred master = yes domain master = yes domain logons = yes logon path = \\pdc\profile\%U logon script = %U.bat logon drive = H: panic action = /usr/share/samba/panic-action %d atm i have domain logons = no, to avoid negative interaction with my running pdc. hope this helps. ok, what i know now :) there get's a second domain added to ldap directory if i, for example, add an user on pdc and do a pdbedit -v an-user i have a second SambaDomainName in my ldap tree. This one is called the same as my bdc is configured in its smb.conf. is it forbidden to name the server bdc or similar? i have set workgroup = workgroup in smb.conf on pdc and bdc. im lost with this... thanks juergen -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba + LDAP + SMBLDAP-Tools + Roaming Profiles
From: J. Echter j.ech...@elektro-mayer-echter.de Date: Tue, 02 Aug 2011 14:12:05 +0200 I thought im done setting domain to WORKGROUP, as its set in smbldap.conf. I don't get why smbldap tools thinks im on a domain called BDC. Would it help if i post some output from pdbedit or stuff like that? I really don't get where this error comes from. Have you set the SID same as PDC on BDC? For example - bdc# net rpc getsid Storing SID S-1-5-21-2535719703-1779805756-2758924810 for Domain DomanName in secrets.tdb - Remembet that before running the command, you have to set smb.conf correctly as BDC. here's the conf of my testing smb machine: [global] domain master = no domain logons = no passdb backend = ldapsam:ldap://mule idmap backend = ldap:ldap://mule idmap uid = 1-15000 idmap gid = 1-15000 You have to set domain logons = yes to make this machine act as BDC. And are you running Winbind? If not, idmap backend/uid/gid does not mean anything. there's something wrong with my config... the successful logins are only able because the users are already there as local unix accounts. i created a new user 'test' and this one can't even login. Have you correctly set nss-ldap on BDC? For example /etc/nss_ldap.conf getent passwd a-user-created-on-PDC on BDC shows his entry? --- TAKAHASHI Motonobu mo...@samba.gr.jp -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba + LDAP + SMBLDAP-Tools + Roaming Profiles
Am 25.07.2011 14:38, schrieb J. Echter: Am 22.07.2011 17:48, schrieb TAKAHASHI Motonobu: From: J. Echterj.ech...@elektro-mayer-echter.de Date: Thu, 21 Jul 2011 08:51:25 +0200 Am 20.07.2011 18:08, schrieb TAKAHASHI Motonobu: hi, tried all your hints. still now profiles found... H... My testing environment is available at ftp://ftp.ring.gr.jp/pub/net/samba-jp/vmware_player_images/sambapdc-squeeze-20110713.zip In this environment, 1) # chmod 1777 /var/lib/samba/shares/profiles 2) changing hide files and profiles acls same as yours 3) # pdbedit -p \\sambapdc\profiles\username username 4) Logging on as the user, roaming profiles is successfully created. I'm using ldapsam:editposix instead of smbldap-tools, so this may not help you... --- TAKAHASHI Motonobumo...@samba.gr.jp Hi, there's something wrong with my config... the successful logins are only able because the users are already there as local unix accounts. i created a new user 'test' and this one can't even login. something with nsswitch seems configured wrong, imho. i get an error like 'no unix account found'. i will post the details about that later, i have to wait till i can switch the smb.conf again. cheers juergen. hi, i'm back :) but still the old problem. i have my tdbsam server running, i set up another samba server, without domain logons. i added a user 'test' to my ldap db. i added this user on the main pdc with smbldap-useradd sudo pdbedit -v test on my new test machine tells me: Unix username:test NT username: test Account Flags:[U ] User SID: S-1-5-21-3842863818-2180709222-141296495-3166 Primary Group SID:(NULL SID) Full Name:test Home Directory: \\pdc\test HomeDir Drive:H: Logon Script: test.bat Profile Path: \\pdc\profiles\test Domain: BDC Account desc: Workstations: Munged dial: Logon time: 0 Logoff time: never Kickoff time: never Password last set:Fr, 22 Jul 2011 23:33:55 CEST Password can change: Fr, 22 Jul 2011 23:33:55 CEST Password must change: never Last bad password : 0 Bad password count : 0 Logon hours : FF i wonder because my domain is called workgroup, not bdc. BDC is the name of the machine, not the domain. if im using this user to logon, it isn't found. phpldapadmin also shows a line like: sambaDomainName=BDC http://192.168.0.200/phpldapadmin/cmd.php?cmd=template_engineserver_id=1dn=sambaDomainName%3DBDC%2Cdc%3Dworkgroup%2Cdc%3Dlocal sambaDomainName=workgroup http://192.168.0.200/phpldapadmin/cmd.php?cmd=template_engineserver_id=1dn=sambaDomainName%3Dworkgroup%2Cdc%3Dworkgroup%2Cdc%3Dlocal here's the conf of my testing smb machine: [global] domain master = no domain logons = no passdb backend = ldapsam:ldap://mule idmap backend = ldap:ldap://mule idmap uid = 1-15000 idmap gid = 1-15000 ldap suffix = dc=workgroup,dc=local ldap user suffix = ou=smb-usr ldap group suffix = ou=groups ldap machine suffix = ou=computers ldap idmap suffix = ou=idmap ldap admin dn = cn=admin,dc=workgroup,dc=local ldap ssl = no ldap passwd sync = yes printing = bsd netbios name = BDC server string = BDC (%h) workgroup = workgroup interfaces = eth0,lo security = user encrypt passwords = true map to guest = bad user guest account = nobody logon path = \\pdc\profile\%U logon script = %U.bat logon drive = H: panic action = /usr/share/samba/panic-action %d my smbldap config is the following: sambaDomain=workgroup suffix=dc=workgroup,dc=local userProfile=\\pdc\profiles\%U nsswitch.conf: passwd: files ldap shadow: files ldap group: files ldap hosts: files wins dns networks: files dns protocols: db files services: db files ethers: db files rpc:db files netgroup: nis i hope somebody can tell me whats going on. i'm completely lost since a while :) thanks a nice day to all. juergen. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba + LDAP + SMBLDAP-Tools + Roaming Profiles
First of all, there is a problem between your samba conf and the output of pdbedit : your server netbios name is defined in your smb.conf as 'BDC' and your workgroup/domain as 'workgroup' whereas the pdbedit output indicates that the profile is stored on '\\pdc...' and that the user is defined on the domain 'BDC'. Setting those correctly to the same values should help. Le 02/08/2011 13:08, J. Echter a écrit : Am 25.07.2011 14:38, schrieb J. Echter: Am 22.07.2011 17:48, schrieb TAKAHASHI Motonobu: From: J. Echterj.ech...@elektro-mayer-echter.de Date: Thu, 21 Jul 2011 08:51:25 +0200 Am 20.07.2011 18:08, schrieb TAKAHASHI Motonobu: hi, tried all your hints. still now profiles found... H... My testing environment is available at ftp://ftp.ring.gr.jp/pub/net/samba-jp/vmware_player_images/sambapdc-squeeze-20110713.zip In this environment, 1) # chmod 1777 /var/lib/samba/shares/profiles 2) changing hide files and profiles acls same as yours 3) # pdbedit -p \\sambapdc\profiles\username username 4) Logging on as the user, roaming profiles is successfully created. I'm using ldapsam:editposix instead of smbldap-tools, so this may not help you... --- TAKAHASHI Motonobumo...@samba.gr.jp Hi, there's something wrong with my config... the successful logins are only able because the users are already there as local unix accounts. i created a new user 'test' and this one can't even login. something with nsswitch seems configured wrong, imho. i get an error like 'no unix account found'. i will post the details about that later, i have to wait till i can switch the smb.conf again. cheers juergen. hi, i'm back :) but still the old problem. i have my tdbsam server running, i set up another samba server, without domain logons. i added a user 'test' to my ldap db. i added this user on the main pdc with smbldap-useradd sudo pdbedit -v test on my new test machine tells me: Unix username: test NT username: test Account Flags: [U ] User SID: S-1-5-21-3842863818-2180709222-141296495-3166 Primary Group SID: (NULL SID) Full Name: test Home Directory: \\pdc\test HomeDir Drive: H: Logon Script: test.bat Profile Path: \\pdc\profiles\test Domain: BDC Account desc: Workstations: Munged dial: Logon time: 0 Logoff time: never Kickoff time: never Password last set: Fr, 22 Jul 2011 23:33:55 CEST Password can change: Fr, 22 Jul 2011 23:33:55 CEST Password must change: never Last bad password : 0 Bad password count : 0 Logon hours : FF i wonder because my domain is called workgroup, not bdc. BDC is the name of the machine, not the domain. if im using this user to logon, it isn't found. phpldapadmin also shows a line like: sambaDomainName=BDC http://192.168.0.200/phpldapadmin/cmd.php?cmd=template_engineserver_id=1dn=sambaDomainName%3DBDC%2Cdc%3Dworkgroup%2Cdc%3Dlocal sambaDomainName=workgroup http://192.168.0.200/phpldapadmin/cmd.php?cmd=template_engineserver_id=1dn=sambaDomainName%3Dworkgroup%2Cdc%3Dworkgroup%2Cdc%3Dlocal here's the conf of my testing smb machine: [global] domain master = no domain logons = no passdb backend = ldapsam:ldap://mule idmap backend = ldap:ldap://mule idmap uid = 1-15000 idmap gid = 1-15000 ldap suffix = dc=workgroup,dc=local ldap user suffix = ou=smb-usr ldap group suffix = ou=groups ldap machine suffix = ou=computers ldap idmap suffix = ou=idmap ldap admin dn = cn=admin,dc=workgroup,dc=local ldap ssl = no ldap passwd sync = yes printing = bsd netbios name = BDC server string = BDC (%h) workgroup = workgroup interfaces = eth0,lo security = user encrypt passwords = true map to guest = bad user guest account = nobody logon path = \\pdc\profile\%U logon script = %U.bat logon drive = H: panic action = /usr/share/samba/panic-action %d my smbldap config is the following: sambaDomain=workgroup suffix=dc=workgroup,dc=local userProfile=\\pdc\profiles\%U nsswitch.conf: passwd: files ldap shadow: files ldap group: files ldap hosts: files wins dns networks: files dns protocols: db files services: db files ethers: db files rpc: db files netgroup: nis i hope somebody can tell me whats going on. i'm completely lost since a while :) thanks a nice day to all. juergen. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba + LDAP + SMBLDAP-Tools + Roaming Profiles
Am 02.08.2011 14:06, schrieb Julien Celle: First of all, there is a problem between your samba conf and the output of pdbedit : your server netbios name is defined in your smb.conf as 'BDC' and your workgroup/domain as 'workgroup' whereas the pdbedit output indicates that the profile is stored on '\\pdc...' and that the user is defined on the domain 'BDC'. Setting those correctly to the same values should help. Le 02/08/2011 13:08, J. Echter a écrit : Am 25.07.2011 14:38, schrieb J. Echter: Am 22.07.2011 17:48, schrieb TAKAHASHI Motonobu: From: J. Echterj.ech...@elektro-mayer-echter.de Date: Thu, 21 Jul 2011 08:51:25 +0200 Am 20.07.2011 18:08, schrieb TAKAHASHI Motonobu: hi, tried all your hints. still now profiles found... H... My testing environment is available at ftp://ftp.ring.gr.jp/pub/net/samba-jp/vmware_player_images/sambapdc-squeeze-20110713.zip In this environment, 1) # chmod 1777 /var/lib/samba/shares/profiles 2) changing hide files and profiles acls same as yours 3) # pdbedit -p \\sambapdc\profiles\username username 4) Logging on as the user, roaming profiles is successfully created. I'm using ldapsam:editposix instead of smbldap-tools, so this may not help you... --- TAKAHASHI Motonobumo...@samba.gr.jp Hi, there's something wrong with my config... the successful logins are only able because the users are already there as local unix accounts. i created a new user 'test' and this one can't even login. something with nsswitch seems configured wrong, imho. i get an error like 'no unix account found'. i will post the details about that later, i have to wait till i can switch the smb.conf again. cheers juergen. hi, i'm back :) but still the old problem. i have my tdbsam server running, i set up another samba server, without domain logons. i added a user 'test' to my ldap db. i added this user on the main pdc with smbldap-useradd sudo pdbedit -v test on my new test machine tells me: Unix username: test NT username: test Account Flags: [U ] User SID: S-1-5-21-3842863818-2180709222-141296495-3166 Primary Group SID: (NULL SID) Full Name: test Home Directory: \\pdc\test HomeDir Drive: H: Logon Script: test.bat Profile Path: \\pdc\profiles\test Domain: BDC Account desc: Workstations: Munged dial: Logon time: 0 Logoff time: never Kickoff time: never Password last set: Fr, 22 Jul 2011 23:33:55 CEST Password can change: Fr, 22 Jul 2011 23:33:55 CEST Password must change: never Last bad password : 0 Bad password count : 0 Logon hours : FF i wonder because my domain is called workgroup, not bdc. BDC is the name of the machine, not the domain. if im using this user to logon, it isn't found. phpldapadmin also shows a line like: sambaDomainName=BDC http://192.168.0.200/phpldapadmin/cmd.php?cmd=template_engineserver_id=1dn=sambaDomainName%3DBDC%2Cdc%3Dworkgroup%2Cdc%3Dlocal sambaDomainName=workgroup http://192.168.0.200/phpldapadmin/cmd.php?cmd=template_engineserver_id=1dn=sambaDomainName%3Dworkgroup%2Cdc%3Dworkgroup%2Cdc%3Dlocal here's the conf of my testing smb machine: [global] domain master = no domain logons = no passdb backend = ldapsam:ldap://mule idmap backend = ldap:ldap://mule idmap uid = 1-15000 idmap gid = 1-15000 ldap suffix = dc=workgroup,dc=local ldap user suffix = ou=smb-usr ldap group suffix = ou=groups ldap machine suffix = ou=computers ldap idmap suffix = ou=idmap ldap admin dn = cn=admin,dc=workgroup,dc=local ldap ssl = no ldap passwd sync = yes printing = bsd netbios name = BDC server string = BDC (%h) workgroup = workgroup interfaces = eth0,lo security = user encrypt passwords = true map to guest = bad user guest account = nobody logon path = \\pdc\profile\%U logon script = %U.bat logon drive = H: panic action = /usr/share/samba/panic-action %d my smbldap config is the following: sambaDomain=workgroup suffix=dc=workgroup,dc=local userProfile=\\pdc\profiles\%U nsswitch.conf: passwd: files ldap shadow: files ldap group: files ldap hosts: files wins dns networks: files dns protocols: db files services: db files ethers: db files rpc: db files netgroup: nis i hope somebody can tell me whats going on. i'm completely lost since a while :) thanks a nice day to all. juergen. Hi, my PDC has netbios name PDC and domain WORKGROUP, this one works (but not with LDAP) i setup this box called BDC (i want to integrate it as BDC later on) I thought im done setting domain to WORKGROUP, as its set in smbldap.conf. I don't get why smbldap tools thinks im on a domain called BDC. Would it help if i post some output from pdbedit or stuff like that? I really don't get where this error comes from. thanks for helping greetings juergen. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba + LDAP + SMBLDAP-Tools + Roaming Profiles
Am 02.08.2011 14:06, schrieb Julien Celle: pdbedit output indicates that the profile is stored on '\\pdc...' and that the user is defined on the domain 'BDC'. oh i forgot, profiles are on \\pdc. cheers. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba + LDAP + SMBLDAP-Tools + Roaming Profiles
Le 02/08/2011 14:22, J. Echter a écrit : Am 02.08.2011 14:06, schrieb Julien Celle: pdbedit output indicates that the profile is stored on '\\pdc...' and that the user is defined on the domain 'BDC'. oh i forgot, profiles are on \\pdc. cheers. Hi, There may be a problem trying to access your profiles on \\pdc while authenticating against \\bdc. Your users try to access a share without giving your PDC credentials it can validate. Try moving your profile for your user test to \\bdc\profile... You could also post your whole smb.conf for your BDC. Cheers, Julien. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba + LDAP + SMBLDAP-Tools + Roaming Profiles
Am 02.08.2011 14:40, schrieb Julien Celle: Le 02/08/2011 14:22, J. Echter a écrit : Am 02.08.2011 14:06, schrieb Julien Celle: pdbedit output indicates that the profile is stored on '\\pdc...' and that the user is defined on the domain 'BDC'. oh i forgot, profiles are on \\pdc. cheers. Hi, There may be a problem trying to access your profiles on \\pdc while authenticating against \\bdc. Your users try to access a share without giving your PDC credentials it can validate. Try moving your profile for your user test to \\bdc\profile... You could also post your whole smb.conf for your BDC. Cheers, Julien. first both of my configs... BDC: [global] domain master = no domain logons = yes passdb backend = ldapsam:ldap://mule idmap backend = ldap:ldap://mule idmap uid = 1-15000 idmap gid = 1-15000 ldap suffix = dc=workgroup,dc=local ldap user suffix = ou=smb-usr ldap group suffix = ou=groups ldap machine suffix = ou=computers ldap idmap suffix = ou=idmap ldap admin dn = cn=admin,dc=workgroup,dc=local ldap ssl = no ldap passwd sync = yes printing = bsd netbios name = BDC server string = BDC (%h) workgroup = workgroup interfaces = eth0,lo security = user encrypt passwords = true map to guest = bad user guest account = nobody logon path = \\pdc\profile\%U logon script = %U.bat logon drive = H: panic action = /usr/share/samba/panic-action %d PDC: [global] printing = bsd netbios name = PDC server string = PDC (%h) workgroup = workgroup interfaces = eth0,lo security = user encrypt passwords = true map to guest = bad user guest account = nobody ## LDAP passdb backend = ldapsam:ldap://127.0.0.1 idmap backend = ldap:ldap://127.0.0.1 idmap uid = 1-15000 idmap gid = 1-15000 ldap suffix = dc=workgroup,dc=local ldap user suffix = ou=smb-usr ldap group suffix = ou=groups ldap machine suffix = ou=computers ldap idmap suffix = ou=idmap ldap admin dn = cn=admin,dc=workgroup,dc=local ldap ssl = no ldap passwd sync = yes add machine script = /usr/sbin/smbldap-useradd -t 0 -w %u add user script = /usr/sbin/smbldap-useradd -a '%u' delete user script = /usr/sbin/smbldap-userdel %u add group script = /usr/sbin/smbldap-groupadd -a '%g' delete group script = /usr/sbin/smbldap-groupdel '%g' add user to group script = /usr/sbin/smbldap-groupmod -m '%u' '%g' delete user from group script = /usr/sbin/smbldap-groupmod -x '%u' '%g' set primary group script = /usr/sbin/smbldap-usermod -g '%g' '%u' local master = yes preferred master = yes domain master = yes domain logons = yes logon path = \\pdc\profile\%U logon script = %U.bat logon drive = H: panic action = /usr/share/samba/panic-action %d atm i have domain logons = no, to avoid negative interaction with my running pdc. hope this helps. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba + LDAP + SMBLDAP-Tools + Roaming Profiles
Am 22.07.2011 17:48, schrieb TAKAHASHI Motonobu: From: J. Echter j.ech...@elektro-mayer-echter.de Date: Thu, 21 Jul 2011 08:51:25 +0200 Am 20.07.2011 18:08, schrieb TAKAHASHI Motonobu: hi, tried all your hints. still now profiles found... H... My testing environment is available at ftp://ftp.ring.gr.jp/pub/net/samba-jp/vmware_player_images/sambapdc-squeeze-20110713.zip In this environment, 1) # chmod 1777 /var/lib/samba/shares/profiles 2) changing hide files and profiles acls same as yours 3) # pdbedit -p \\sambapdc\profiles\username username 4) Logging on as the user, roaming profiles is successfully created. I'm using ldapsam:editposix instead of smbldap-tools, so this may not help you... --- TAKAHASHI Motonobu mo...@samba.gr.jp Hi, there's something wrong with my config... the successful logins are only able because the users are already there as local unix accounts. i created a new user 'test' and this one can't even login. something with nsswitch seems configured wrong, imho. i get an error like 'no unix account found'. i will post the details about that later, i have to wait till i can switch the smb.conf again. cheers juergen. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba + LDAP + SMBLDAP-Tools + Roaming Profiles
From: J. Echter j.ech...@elektro-mayer-echter.de Date: Thu, 21 Jul 2011 08:51:25 +0200 Am 20.07.2011 18:08, schrieb TAKAHASHI Motonobu: hi, tried all your hints. still now profiles found... H... My testing environment is available at ftp://ftp.ring.gr.jp/pub/net/samba-jp/vmware_player_images/sambapdc-squeeze-20110713.zip In this environment, 1) # chmod 1777 /var/lib/samba/shares/profiles 2) changing hide files and profiles acls same as yours 3) # pdbedit -p \\sambapdc\profiles\username username 4) Logging on as the user, roaming profiles is successfully created. I'm using ldapsam:editposix instead of smbldap-tools, so this may not help you... --- TAKAHASHI Motonobu mo...@samba.gr.jp -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba + LDAP + SMBLDAP-Tools + Roaming Profiles
Am 20.07.2011 18:08, schrieb TAKAHASHI Motonobu: From: J. Echterj.ech...@elektro-mayer-echter.de Date: Wed, 20 Jul 2011 17:58:34 +0200 i've finally have my LDAP backend working for authentication for my DC. Logon scripts are executed, user is authenticated, but my roaming profiles are not found. here is what i have in my config files: (snip) hide files = /desktop.ini/ntuser.ini/NTUSER.*/Thumbs.db/ Try to comment this line. [profile] path = /bacula/samba/profile This path has valid permission? guest ok = yes Try to remove guest ok line. And actually pdbedit -v a-user shows valid profile path? --- TAKAHASHI Motonobumo...@monyo.com hi, tried all your hints. still now profiles found... -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba + LDAP + SMBLDAP-Tools + Roaming Profiles
Hai, a working profile share.. [profiles] path = /bacula/samba/profile comment = Profiel enviroment. read only = no create mask = 0600 directory mask = 0700 browseable = Yes guest ok = Yes csc policy = disable force user = %U # next line allows administrator to access all profiles valid users = %U @Domain Admins good luck. -Oorspronkelijk bericht- Van: j.ech...@elektro-mayer-echter.de [mailto:samba-boun...@lists.samba.org] Namens J. Echter Verzonden: 2011-07-20 18:21 Aan: samba@lists.samba.org Onderwerp: Re: [Samba] Samba + LDAP + SMBLDAP-Tools + Roaming Profiles Am 20.07.2011 18:08, schrieb TAKAHASHI Motonobu: [profile] path = /bacula/samba/profile This path has valid permission? drwxrwxrwt 21 root root 4096 Jul 7 09:48 profile And actually pdbedit -v a-user shows valid profile path? pdbedit -v klaudia Full Name:klaudia Home Directory: \\pdc\klaudia HomeDir Drive:H: Logon Script: klaudia.bat Profile Path: \\pdc\profile\klaudia Domain: WORKGROUP cheers juergen -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba + LDAP + SMBLDAP-Tools + Roaming Profiles
Am 21.07.2011 11:33, schrieb L.P.H. van Belle: Hai, a working profile share.. [profiles] path = /bacula/samba/profile comment = Profiel enviroment. read only = no create mask = 0600 directory mask = 0700 browseable = Yes guest ok = Yes csc policy = disable force user = %U # next line allows administrator to access all profiles valid users = %U @Domain Admins good luck. i'll try with this one and will report back. thanks juergen -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba + LDAP + SMBLDAP-Tools + Roaming Profiles
From: J. Echter j.ech...@elektro-mayer-echter.de Date: Wed, 20 Jul 2011 17:58:34 +0200 i've finally have my LDAP backend working for authentication for my DC. Logon scripts are executed, user is authenticated, but my roaming profiles are not found. here is what i have in my config files: (snip) hide files = /desktop.ini/ntuser.ini/NTUSER.*/Thumbs.db/ Try to comment this line. [profile] path = /bacula/samba/profile This path has valid permission? guest ok = yes Try to remove guest ok line. And actually pdbedit -v a-user shows valid profile path? --- TAKAHASHI Motonobu mo...@monyo.com -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba + LDAP + SMBLDAP-Tools + Roaming Profiles
Am 20.07.2011 18:08, schrieb TAKAHASHI Motonobu: [profile] path = /bacula/samba/profile This path has valid permission? drwxrwxrwt 21 root root 4096 Jul 7 09:48 profile And actually pdbedit -v a-user shows valid profile path? pdbedit -v klaudia Full Name:klaudia Home Directory: \\pdc\klaudia HomeDir Drive:H: Logon Script: klaudia.bat Profile Path: \\pdc\profile\klaudia Domain: WORKGROUP cheers juergen -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba, LDAP, Windows XP - force passwordchange on first login
Hello Götz, This settings should work ok: sambaPwdCanChange=1 sambaPwdLastSet=0 sambaPwdMustChange=0 Your sambaMaxPwdAge must point to some usefull, sambaMaxPwdAge: 5184000. To administrate this try http://ldapadmin.sourceforge.net/ Greetings Daniel --- EDV Daniel Müller Leitung EDV Tropenklinik Paul-Lechler-Krankenhaus Paul-Lechler-Str. 24 72076 Tübingen Tel.: 07071/206-463, Fax: 07071/206-499 eMail: muel...@tropenklinik.de Internet: www.tropenklinik.de --- -Ursprüngliche Nachricht- Von: samba-boun...@lists.samba.org [mailto:samba-boun...@lists.samba.org] Im Auftrag von Götz Reinicke - IT-Koordinator Gesendet: Dienstag, 1. Februar 2011 15:53 An: samba@lists.samba.org Betreff: [Samba] Samba, LDAP, Windows XP - force passwordchange on first login Hello, I was looking for the right ldap attribute and setting to force users to change there password when they log in for the first time. Can somewone point me to the syntax or doc I did not found yet? samba 3.5.4 and openldap-2.4.19 Thanks and regards, -- Götz Reinicke IT-Koordinator Tel. +49 7141 969 420 Fax +49 7141 969 55 420 E-Mail goetz.reini...@filmakademie.de Filmakademie Baden-Württemberg GmbH Akademiehof 10 71638 Ludwigsburg www.filmakademie.de Eintragung Amtsgericht Stuttgart HRB 205016 Vorsitzende des Aufsichtsrats: Prof. Dr. Claudia Hübner Geschäftsführer: Prof. Thomas Schadt -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba+LDAP+Password
You do not need: obey pam restrictions = yes pam password chanve = yes If you have only samba/openldap as DC you do not need winbind with smbldap-tools. Good Luck Daniel --- EDV Daniel Müller Leitung EDV Tropenklinik Paul-Lechler-Krankenhaus Paul-Lechler-Str. 24 72076 Tübingen Tel.: 07071/206-463, Fax: 07071/206-499 eMail: muel...@tropenklinik.de Internet: www.tropenklinik.de --- -Ursprüngliche Nachricht- Von: samba-boun...@lists.samba.org [mailto:samba-boun...@lists.samba.org] Im Auftrag von Rodolfo Barbosa Gesendet: Montag, 31. Januar 2011 12:27 An: samba@lists.samba.org Betreff: [Samba] Samba+LDAP+Password Hi, We have a Debian Lenny running Samba 3.5.5 with OpenLDAP and Winbind. The users can change their password via windows clientes but after the password expires thei can't set a new password. To unlock the user account I have to set a new password via smblda-passwd script. I have the following parameters set on my smb.conf obey pam restrictions = yes pam password chanve = yes Thanks -- Rodolfo Barbosa Lunar Consultoria +55(35)3821-8066 +55(35)9132-0764 -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba LDAP ignores group information
alexan...@nautae.eti.br wrote: Hi. Excuse my English. I've installed Samba+OpenLDAP as a PDC. Everything works fine but Samba ignores completely group information. Linux is ok. Any clue? I'm going crazy here! Here's the sittuation: user: fish1 home dir: /home/reaml/swim/fish1 primary group: swimmers other groups: smokers Directory of smoker's group: /home/realm/smokers Here's an 'ls -l' on smoker's parent dir: drwxrws--- 19 cigarr smokers2208 Jul 27 2010 smokers Here's the share: [smokers] comment = Smoking path = /home/realm/smokers valid users = @smokers @swimmers @support public = no writable = yes browseable = yes create mask = 0777 force create mode = 0777 force directory mode = 0777 directory mode = 0777 Here's 'id' information: # id fish1 uid=1193(fish1) gid=1012(swimmers) groups=1013(smokers) So, when user fish1 try to enter in 'smokers' share: permission denied. If I give all permissions to 'others', fish1 can user the share normally. This only happen when I try to access using Windows. Linux is ok. Any idea? Seems to be an error between Samba and OpenLDAP... Here's smbldap-usershow: #smbldap-usershow fish1 dn: uid=fish1,ou=swimmers,ou=people,dc=example,dc=com objectClass: top,person,organizationalPerson,inetOrgPerson,posixAccount,shadowAccount,sambaSamAccount cn: fish1 sn: fish1 givenName: fish1 uid: fish1 uidNumber: 1193 gidNumber: 1012 homeDirectory: /home/realm/swim/fish1 loginShell: /bin/bash gecos: System User sambaLogonTime: 0 sambaLogoffTime: 2147483647 sambaKickoffTime: 2147483647 sambaPwdCanChange: 0 displayName: angela sambaSID: S-1-5-21-158730468-2379596502-3695168017-0001 sambaPrimaryGroupSID: S-1-5-21-158730468-2379596502-3695168017-0002 sambaLogonScript: swimmers.bat sambaProfilePath: \\REALMSERV\profiles\fish1 sambaHomePath: \\REALMSERV\fish1 sambaHomeDrive: U: sambaLMPassword: C665AEE66EF2A261AAD3B435B5143E3E sambaAcctFlags: [U] sambaNTPassword: 84AC02807D3D1C7000A79BD0E97BAEFEF sambaPwdLastSet: 1280219188 sambaPwdMustChange: 2144132788 userPassword: {CRYPT}c28JIqzpe43e shadowLastChange: 14817 shadowMax: Here's /etc/ldap.conf base dc=example,dc=com uri ldapi:///127.0.0.1 uri ldap://127.0.0.1 ldap_version 3 binddn cn=admin,dc=example,dc=com bindpw mysecret rootbinddn cn=admin,dc=example,dc=com scope sub bind_policy soft pam_filter objectclass=posixAccount pam_login_attribute uid pam_check_host_attr yes pam_member_attribute memberUid pam_password md5 nss_base_passwd ou=people,dc=example,dc=com?sub nss_base_passwd ou=computers,dc=example,dc=com?sub nss_base_group ou=groups,dc=example,dc=com?sub And the smbldap.conf: SID=S-1-5-21-158730468-2379596502-3695168017 sambaDomain=REALM slaveLDAP=127.0.0.1 slavePort=389 masterLDAP=127.0.0.1 masterPort=389 ldapTLS=0 verify=require cafile= clientcert= clientkey= suffix=dc=example,dc=com usersdn=ou=people,${suffix} computersdn=ou=computers,${suffix} groupsdn=ou=groups,${suffix} sambaUnixIdPooldn=sambaDomainName=${sambaDomain},${suffix} scope=sub hash_encrypt=CRYPT userLoginShell=/bin/bash userHome=/home/%U userGecos=System User defaultUserGid=543 defaultComputerGid=543 skeletonDir=/etc/skel defaultMaxPasswordAge= userSmbHome=\\REALMSERV\%U userProfile=\\REALMSERV\profiles\%U userHomeDirectoryMode=700 userHomeDrive=U: userScript=%g.bat mailDomain=example.com with_smbpasswd=0 smbpasswd=/usr/bin/smbpasswd with_slappasswd=0 slappasswd=/usr/sbin/slappasswd And finaly, smb.conf: workgroup = REALM netbios name = REALMSERV server string = My Realm %v security = user encrypt passwords = yes load printers = yes log file = /var/log/samba/log.%m max log size = 50 os level = 33 local master = yes domain master = yes preferred master = yes domain logons = yes #admin users = god logon script = %g.bat logon path = \\%L\profiles\%U #logon path = \\%N\profiles\%U wins support = no dns proxy = no ldap passwd sync = yes ldap delete dn = yes passdb backend = ldapsam:ldap://127.0.0.1 ldap admin dn = cn=admin,dc=example,dc=com ldap suffix = dc=example,dc=com ldap group suffix = ou=groups ldap user suffix = ou=people ldap machine suffix = ou=computers create mask = 600 directory mask = 0700 passwd chat = *New*password* %n\n *Retype*new*password* %n\n *passwd:*all*authentication*tokens*updated*successfully* socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 I'm lost... []s Alexander Brazil It sounds as though the groups arn't mapped for windows within samba.. try # net groupmap list does this give you any groups? are the groups your working with included? How did you creat the groups ? smbldap-groupadd I hope? -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba LDAP ignores group information
W dniu 2010-07-27 20:05, alexan...@nautae.eti.br pisze: Hi. Excuse my English. I've installed Samba+OpenLDAP as a PDC. Everything works fine but Samba ignores completely group information. Linux is ok. Any clue? I'm going crazy here! Here's the sittuation: user: fish1 home dir: /home/reaml/swim/fish1 primary group: swimmers other groups: smokers Directory of smoker's group: /home/realm/smokers Here's an 'ls -l' on smoker's parent dir: drwxrws--- 19 cigarr smokers2208 Jul 27 2010 smokers Here's the share: [smokers] comment = Smoking path = /home/realm/smokers valid users = @smokers @swimmers @support public = no writable = yes browseable = yes create mask = 0777 force create mode = 0777 force directory mode = 0777 directory mode = 0777 Here's 'id' information: # id fish1 uid=1193(fish1) gid=1012(swimmers) groups=1013(smokers) So, when user fish1 try to enter in 'smokers' share: permission denied. If I give all permissions to 'others', fish1 can user the share normally. This only happen when I try to access using Windows. Linux is ok. Any idea? Seems to be an error between Samba and OpenLDAP... Here's smbldap-usershow: #smbldap-usershow fish1 dn: uid=fish1,ou=swimmers,ou=people,dc=example,dc=com objectClass: top,person,organizationalPerson,inetOrgPerson,posixAccount,shadowAccount,sambaSamAccount cn: fish1 sn: fish1 givenName: fish1 uid: fish1 uidNumber: 1193 gidNumber: 1012 homeDirectory: /home/realm/swim/fish1 loginShell: /bin/bash gecos: System User sambaLogonTime: 0 sambaLogoffTime: 2147483647 sambaKickoffTime: 2147483647 sambaPwdCanChange: 0 displayName: angela sambaSID: S-1-5-21-158730468-2379596502-3695168017-0001 sambaPrimaryGroupSID: S-1-5-21-158730468-2379596502-3695168017-0002 sambaLogonScript: swimmers.bat sambaProfilePath: \\REALMSERV\profiles\fish1 sambaHomePath: \\REALMSERV\fish1 sambaHomeDrive: U: sambaLMPassword: C665AEE66EF2A261AAD3B435B5143E3E sambaAcctFlags: [U] sambaNTPassword: 84AC02807D3D1C7000A79BD0E97BAEFEF sambaPwdLastSet: 1280219188 sambaPwdMustChange: 2144132788 userPassword: {CRYPT}c28JIqzpe43e shadowLastChange: 14817 shadowMax: Here's /etc/ldap.conf base dc=example,dc=com uri ldapi:///127.0.0.1 uri ldap://127.0.0.1 ldap_version 3 binddn cn=admin,dc=example,dc=com bindpw mysecret rootbinddn cn=admin,dc=example,dc=com scope sub bind_policy soft pam_filter objectclass=posixAccount pam_login_attribute uid pam_check_host_attr yes pam_member_attribute memberUid pam_password md5 nss_base_passwd ou=people,dc=example,dc=com?sub nss_base_passwd ou=computers,dc=example,dc=com?sub nss_base_group ou=groups,dc=example,dc=com?sub And the smbldap.conf: SID=S-1-5-21-158730468-2379596502-3695168017 sambaDomain=REALM slaveLDAP=127.0.0.1 slavePort=389 masterLDAP=127.0.0.1 masterPort=389 ldapTLS=0 verify=require cafile= clientcert= clientkey= suffix=dc=example,dc=com usersdn=ou=people,${suffix} computersdn=ou=computers,${suffix} groupsdn=ou=groups,${suffix} sambaUnixIdPooldn=sambaDomainName=${sambaDomain},${suffix} scope=sub hash_encrypt=CRYPT userLoginShell=/bin/bash userHome=/home/%U userGecos=System User defaultUserGid=543 defaultComputerGid=543 skeletonDir=/etc/skel defaultMaxPasswordAge= userSmbHome=\\REALMSERV\%U userProfile=\\REALMSERV\profiles\%U userHomeDirectoryMode=700 userHomeDrive=U: userScript=%g.bat mailDomain=example.com with_smbpasswd=0 smbpasswd=/usr/bin/smbpasswd with_slappasswd=0 slappasswd=/usr/sbin/slappasswd And finaly, smb.conf: workgroup = REALM netbios name = REALMSERV server string = My Realm %v security = user encrypt passwords = yes load printers = yes log file = /var/log/samba/log.%m max log size = 50 os level = 33 local master = yes domain master = yes preferred master = yes domain logons = yes #admin users = god logon script = %g.bat logon path = \\%L\profiles\%U #logon path = \\%N\profiles\%U wins support = no dns proxy = no ldap passwd sync = yes ldap delete dn = yes passdb backend = ldapsam:ldap://127.0.0.1 ldap admin dn = cn=admin,dc=example,dc=com ldap suffix = dc=example,dc=com ldap group suffix = ou=groups ldap user suffix = ou=people ldap machine suffix = ou=computers create mask = 600 directory mask = 0700 passwd chat = *New*password* %n\n *Retype*new*password* %n\n *passwd:*all*authentication*tokens*updated*successfully* socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 I'm lost... []s Alexander Brazil What version of Samba? What does this command return: net rpc user info fish1 Daniel -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba LDAP ignores group information
On 07/27/2010 03:38 PM, Daniel Deptuła wrote: W dniu 2010-07-27 20:05, alexan...@nautae.eti.br pisze: Hi. Excuse my English. I've installed Samba+OpenLDAP as a PDC. Everything works fine but Samba ignores completely group information. Linux is ok. Any clue? I'm going crazy here! Here's the sittuation: user: fish1 home dir: /home/reaml/swim/fish1 primary group: swimmers other groups: smokers Directory of smoker's group: /home/realm/smokers Here's an 'ls -l' on smoker's parent dir: drwxrws--- 19 cigarr smokers 2208 Jul 27 2010 smokers Here's the share: [smokers] comment = Smoking path = /home/realm/smokers valid users = @smokers @swimmers @support public = no writable = yes browseable = yes create mask = 0777 force create mode = 0777 force directory mode = 0777 directory mode = 0777 Here's 'id' information: # id fish1 uid=1193(fish1) gid=1012(swimmers) groups=1013(smokers) So, when user fish1 try to enter in 'smokers' share: permission denied. If I give all permissions to 'others', fish1 can user the share normally. This only happen when I try to access using Windows. Linux is ok. Any idea? Seems to be an error between Samba and OpenLDAP... Here's smbldap-usershow: #smbldap-usershow fish1 dn: uid=fish1,ou=swimmers,ou=people,dc=example,dc=com objectClass: top,person,organizationalPerson,inetOrgPerson,posixAccount,shadowAccount,sambaSamAccount cn: fish1 sn: fish1 givenName: fish1 uid: fish1 uidNumber: 1193 gidNumber: 1012 homeDirectory: /home/realm/swim/fish1 loginShell: /bin/bash gecos: System User sambaLogonTime: 0 sambaLogoffTime: 2147483647 sambaKickoffTime: 2147483647 sambaPwdCanChange: 0 displayName: angela sambaSID: S-1-5-21-158730468-2379596502-3695168017-0001 sambaPrimaryGroupSID: S-1-5-21-158730468-2379596502-3695168017-0002 sambaLogonScript: swimmers.bat sambaProfilePath: \\REALMSERV\profiles\fish1 sambaHomePath: \\REALMSERV\fish1 sambaHomeDrive: U: sambaLMPassword: C665AEE66EF2A261AAD3B435B5143E3E sambaAcctFlags: [U] sambaNTPassword: 84AC02807D3D1C7000A79BD0E97BAEFEF sambaPwdLastSet: 1280219188 sambaPwdMustChange: 2144132788 userPassword: {CRYPT}c28JIqzpe43e shadowLastChange: 14817 shadowMax: Here's /etc/ldap.conf base dc=example,dc=com uri ldapi:///127.0.0.1 uri ldap://127.0.0.1 ldap_version 3 binddn cn=admin,dc=example,dc=com bindpw mysecret rootbinddn cn=admin,dc=example,dc=com scope sub bind_policy soft pam_filter objectclass=posixAccount pam_login_attribute uid pam_check_host_attr yes pam_member_attribute memberUid pam_password md5 nss_base_passwd ou=people,dc=example,dc=com?sub nss_base_passwd ou=computers,dc=example,dc=com?sub nss_base_group ou=groups,dc=example,dc=com?sub And the smbldap.conf: SID=S-1-5-21-158730468-2379596502-3695168017 sambaDomain=REALM slaveLDAP=127.0.0.1 slavePort=389 masterLDAP=127.0.0.1 masterPort=389 ldapTLS=0 verify=require cafile= clientcert= clientkey= suffix=dc=example,dc=com usersdn=ou=people,${suffix} computersdn=ou=computers,${suffix} groupsdn=ou=groups,${suffix} sambaUnixIdPooldn=sambaDomainName=${sambaDomain},${suffix} scope=sub hash_encrypt=CRYPT userLoginShell=/bin/bash userHome=/home/%U userGecos=System User defaultUserGid=543 defaultComputerGid=543 skeletonDir=/etc/skel defaultMaxPasswordAge= userSmbHome=\\REALMSERV\%U userProfile=\\REALMSERV\profiles\%U userHomeDirectoryMode=700 userHomeDrive=U: userScript=%g.bat mailDomain=example.com with_smbpasswd=0 smbpasswd=/usr/bin/smbpasswd with_slappasswd=0 slappasswd=/usr/sbin/slappasswd And finaly, smb.conf: workgroup = REALM netbios name = REALMSERV server string = My Realm %v security = user encrypt passwords = yes load printers = yes log file = /var/log/samba/log.%m max log size = 50 os level = 33 local master = yes domain master = yes preferred master = yes domain logons = yes #admin users = god logon script = %g.bat logon path = \\%L\profiles\%U #logon path = \\%N\profiles\%U wins support = no dns proxy = no ldap passwd sync = yes ldap delete dn = yes passdb backend = ldapsam:ldap://127.0.0.1 ldap admin dn = cn=admin,dc=example,dc=com ldap suffix = dc=example,dc=com ldap group suffix = ou=groups ldap user suffix = ou=people ldap machine suffix = ou=computers create mask = 600 directory mask = 0700 passwd chat = *New*password* %n\n *Retype*new*password* %n\n *passwd:*all*authentication*tokens*updated*successfully* socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 I'm lost... []s Alexander Brazil What version of Samba? What does this command return: net rpc user info fish1 Daniel Also check the ouput from net groupmap list For each well known group (e.g Domain Users) you should have a SID defined (with a standard RID.) For example, Domain Users has RID of 513. Groups you define (e.g Swimmers) does not have to have a SID defined- unix will still enforce the permissions- but can make life easier you do defined a SID. The SID will have the domain component + uniqe RID (relative ID.) e.g # net groupmap list Domain Users
Re: [Samba] Samba/LDAP and home dir creation
Subject: [Samba] Samba/LDAP and home dir creation Hi, all. I'm working on a project to create a Samba PDC with LDAP authentication. I've been pretty successful in getting everything to work. However, I've run into a small snag: The PDC is built on an OpenSuse 11.2 box. Most of the member servers are also OpenSuse 11.2 boxes. However, a CentOS 5.5 server was just added to the mix. While users can lo into the CentOS box, with LDAP providing the creds, no home directory is automagically created as in the OpenSuse boxes. I'd like to fix that, with your help. I've used authconfig-tui on the CentOS box to enable Use LDAP and Use LDAP Authentication (the equivalent of YAST's LDAP Client config tool?). I believe my smb.conf and ldap.conf files are correct (I'll provide them if you all need to see them). Any ideas? Thanks. Dimitri -- To avoid messing with PAM, you can also do something like root preexec=/data/Backup/createhomes.sh %D %S in your smb.conf and the file createhomes.sh looks something like #!/bin/bash if [ ! -d /data/homes/$1/$2 ]; then mkdir /data/homes/$1/$2 chmod g+s /data/homes/$1/$2 chown $2:domain admins /data/homes/$1/$2 chmod 770 /data/homes/$1/$2 /usr/bin/setfacl -m g:domain admins:rwx /data/homes/$1/$2 /usr/bin/setfacl -m u:$2:rwx /data/homes/$1/$2 /usr/bin/setfacl -m g:domain users:000 /data/homes/$1/$2 fi exit 0 -=Andrew -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba/LDAP and home dir creation
Hi Dimitri, You probably want to enable the PAM module responsible for this. Back up and edit your /etc/pam.d/system-auth and add the following line: session required pam_oddjob_mkhomedir.so skel=/etc/skel/ umask=0022 Note: Messing with your pam config may lock you out of the system, so be careful. 2010/6/9 Dimitri Yioulos dyiou...@firstbhph.com: Hi, all. I'm working on a project to create a Samba PDC with LDAP authentication. I've been pretty successful in getting everything to work. However, I've run into a small snag: The PDC is built on an OpenSuse 11.2 box. Most of the member servers are also OpenSuse 11.2 boxes. However, a CentOS 5.5 server was just added to the mix. While users can lo into the CentOS box, with LDAP providing the creds, no home directory is automagically created as in the OpenSuse boxes. I'd like to fix that, with your help. I've used authconfig-tui on the CentOS box to enable Use LDAP and Use LDAP Authentication (the equivalent of YAST's LDAP Client config tool?). I believe my smb.conf and ldap.conf files are correct (I'll provide them if you all need to see them). Any ideas? Thanks. Dimitri -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- Diego Lima -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba/LDAP and home dir creation
On Wednesday 09 June 2010 4:47:31 pm you wrote: Hi Dimitri, You probably want to enable the PAM module responsible for this. Back up and edit your /etc/pam.d/system-auth and add the following line: session required pam_oddjob_mkhomedir.so skel=/etc/skel/ umask=0022 Note: Messing with your pam config may lock you out of the system, so be careful. 2010/6/9 Dimitri Yioulos dyiou...@firstbhph.com: Hi, all. I'm working on a project to create a Samba PDC with LDAP authentication. I've been pretty successful in getting everything to work. However, I've run into a small snag: The PDC is built on an OpenSuse 11.2 box. Most of the member servers are also OpenSuse 11.2 boxes. However, a CentOS 5.5 server was just added to the mix. While users can lo into the CentOS box, with LDAP providing the creds, no home directory is automagically created as in the OpenSuse boxes. I'd like to fix that, with your help. I've used authconfig-tui on the CentOS box to enable Use LDAP and Use LDAP Authentication (the equivalent of YAST's LDAP Client config tool?). I believe my smb.conf and ldap.conf files are correct (I'll provide them if you all need to see them). Any ideas? Thanks. Dimitri -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samb a -- Diego Lima Diego, That worked perfectly! I used pam_mkhomedir.so, though, as this is a 32-bit system. Thank you. Dimitri -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba/LDAP share issue -- user with invalid SID
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 You are missing something, which I just realized reading this: a couple of emails that went back and forth off-list. Oops. I think the following is essentially accurate: someone will surely correct me if it's not. At the moment, this is the only samba server there is, and it's acting as a PDC. At some point, I'll (probably) be building an actual PDC, at which point domain master will be set to no. That will change the role from PDC to BDC, which is (as far as I can tell) what I want. The problem right now is that, if I set this to act as a BDC, I can't actually join the domain, because there isn't a controller. Because of that, this system (SL1) has to act as a PDC. When I said it's not acting as a PDC, I should have said ...but not being used as a domain login controller, rather than ...not acting as What I really probably OUGHT to do is set up mv (our LDAP server) to act as a PDC now, and simply let this act as a client. Unfortunately, I don't have time to do it now -- I'll probably get to that sometime over the summer, when things are a little less crazy. - -Alex zoolook wrote: 2010/5/18 Alex McKenzie a...@chem.umass.edu: r...@sl1:/etc/samba# testparm Server role: ROLE_DOMAIN_PDC [global] workgroup = CHEMBMB domain logons = Yes preferred master = Yes domain master = Yes This is a standalone server providing file sharing, but not acting as a domain login controller: if I ever want that, I'll be building a different server for it. Hm!? Thanks to tms3 for the instructions: I'd been spinning my wheels for two weeks before his (her?) advice! Can you (or someone else) please explain this because either, I'm too dumb or too sleepy. From what I can see, your samba server IS a PDC. If you want SL1 to be a member of CHEMBMB, you need to: domain logons = No security = DOMAIN Then: # net rpc join ((or net ads join)) Am I missing something here? Thanks, Norberto -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.8 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAkvz3p8ACgkQWFYfIucpZ2NK2wCeOcNMnyoiOO1vcjZmTUZmi893 7EgAnA9yyP0S1jV0g3Da4ONzrVhpP5Xq =eYFN -END PGP SIGNATURE- -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba/LDAP share issue -- user with invalid SID
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 t...@tms3.com wrote: SNIP SID for domain SL1 is: S-1-5-21-1557386430-3227286864-500253393 SID for domain CHEMBMB is: S-1-5-21-4167008922-1292391803-4044586981 7) Users have both user and group SIDs in the form S-1-5-21-4167008922-1292391803-4044586981-[unique number], which is generated according to the rules the smbldap tools use. You have two different domains. And the users are in CHEMBMB and the server is a member of SL1. Why not join SL1 to CHEMBMB? How do I get the server to join CHEMBMB? I spent about two hours trying to get the two SIDs to be the same, with no success. I assumed that was part of the issue, but I finally gave up on making it work. I assume I'd use net setlocalsid, which shows the following: r...@sl1:~# net getdomainsid SID for domain SL1 is: S-1-5-21-1557386430-3227286864-500253393 SID for domain CHEMBMB is: S-1-5-21-4167008922-1292391803-4044586981 r...@sl1:~# net setlocalsid S-1-5-21-4167008922-1292391803-4044586981 r...@schnelllab1:~# net getdomainsid SID for domain SL1 is: S-1-5-21-1557386430-3227286864-500253393 SID for domain CHEMBMB is: S-1-5-21-4167008922-1292391803-4044586981 If there's something else I should be doing, I'd love to know what it is! - -Alex 8) testparm on sl1 returns the following: Load smb config files from /etc/samba/smb.conf Processing section [homes] Processing section [itadmins] Loaded services file OK. Server role: ROLE_STANDALONE Press enter to see a dump of your service definitions [global] workgroup = CHEMBMB server string = %h server (Samba, Ubuntu) map to guest = Bad User obey pam restrictions = Yes passdb backend = ldapsam:ldaps://multivac.chem.umass.edu pam password change = Yes passwd program = /usr/bin/passwd %u passwd chat = *Enter\snew\s*\spassword:* %n\n *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* . unix password sync = Yes syslog = 255 log file = /var/log/samba/log.%m max log size = 1000 dns proxy = No ldap admin dn = cn=admin,dc=cns ldap group suffix = ou=Chemistry groups ldap suffix = ou=Chemistry,dc=cns ldap ssl = no ldap user suffix = ou=Chemistry users usershare allow guests = Yes panic action = /usr/share/samba/panic-action %d invalid users = root [homes] comment = Home Directories read only = No browseable = No [itadmins] comment = Shared directory for the IT group path = /home/itadmins valid users = spalmer, amckenzie read only = No create mask = 0665 directory mask = 0775 Any advice would be appreciated -- I'm well beyond my understanding of samba at the moment, and my understanding of samba is well beyond what it was 48 hours ago. At the moment neither server is mission critical, so tests that take them temporarily off-line are possible. By early next week things will be authenticating against the LDAP server (we've got no choice -- the old LDAP server is failing fast), so I won't be able to take it down for testing. Thanks in advance, Alex McKenzie a...@chem.umass.edu -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.8 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEUEARECAAYFAkvxjXAACgkQWFYfIucpZ2OA2QCY5Ah0KkHwr2QGuCF/jCGf/dDr zwCfbXwvHr50j7vZZTuSJxLels7Izv8= =58HV -END PGP SIGNATURE- -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.8 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAkvyk6wACgkQWFYfIucpZ2NCiQCfWaicXsuhA6P01Pbw9xeanUql dqEAn2Z31M+dqjlIKG5uciscBsTB9Rl0 =LAsj -END PGP SIGNATURE- -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba/LDAP share issue -- user with invalid SID
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 I do have smbldap tools installed and, as far as I can tell, set up. net join CHEMBMB -U Administrator returns cannot join as standalone machine. The LDAP structure may be the issue... I don't think computer accounts were ever set up on the current server (the last server was done by the guy who used to do my job, who left basically no documentation), because I wasn't aware they were necessary for this. We're not planning to use Samba/LDAP for windows authentication (only Mac, which doesn't require any sort of machine account, and linux, which also doesn't require a machine account), and if we do decide to do windows auth with Samba, it won't be using SL1. SL1 is only a file server -- it's for a small research group, and there will eventually be a bunch of them, possibly as many as 30-40. The system that LDAP runs on will eventually become a PDC, if necessary, but for now samba isn't even installed. If that's the issue, I'll feel stupid, but grateful that someone pointed me in the right direction. Let me know what to try next... as I said initially, I'm quite out of my depth. I haven't been testing with a Windows machine, and I did something to completely break SL1 yesterday, so I can't test it right now. (I changed something in smb.conf, and now samba won't start -- I need to figure out what that is before I go any further.) - -Alex t...@tms3.com wrote: How do I get the server to join CHEMBMB? I may have been hasty, but I don't have a proper domain to check at the moment. However: Do you have smbldap-tools installed and set up on sl1? Did you ever issue net join CHEMBMB -U Administrator from sl1? Check your ldap structure. You should have a computer with an LDIF that looks like this: dn: uid=zaphod$, ou=computers, dc=mydomain,dc=com sambaPrimaryGroupSID: S-1-5-21-1498823292-3530380933-788562438-515 sambaDomainName: MYDOMAIN displayName: zaphod$ objectClass: posixAccount objectClass: account objectClass: sambaSamAccount sambaLogonTime: 0 uid: zaphod$ uidNumber: 41328 cn: zaphod$ sambaLogoffTime: 2147483647 sambaPwdLastSet: 1267756286 sambaAcctFlags: [S ] loginShell: /bin/false gidNumber: 553 sambaPwdMustChange: 2147483647 sambaNTPassword: 3509E1ED1B7398134D9D429474E47386 sambaPwdCanChange: 0 sambaSID: S-1-5-21-1498823292-3530380933-788562438-83656 gecos: Computer description: Computer homeDirectory: /dev/null sambaKickoffTime: 2147483647 ALSO, I assume you are using some kind of Windows work station for the users, so what error does Windows display when the users log in? Cheers, TMS III I spent about two hours trying to get the two SIDs to be the same, with no success. I assumed that was part of the issue, but I finally gave up on making it work. I assume I'd use net setlocalsid, which shows the following: r...@sl1:~# net getdomainsid SID for domain SL1 is: S-1-5-21-1557386430-3227286864-500253393 SID for domain CHEMBMB is: S-1-5-21-4167008922-1292391803-4044586981 r...@sl1:~# net setlocalsid S-1-5-21-4167008922-1292391803-4044586981 r...@schnelllab1:~# net getdomainsid SID for domain SL1 is: S-1-5-21-1557386430-3227286864-500253393 SID for domain CHEMBMB is: S-1-5-21-4167008922-1292391803-4044586981 If there's something else I should be doing, I'd love to know what it is! - -Alex 8) testparm on sl1 returns the following: Load smb config files from /etc/samba/smb.conf Processing section [homes] Processing section [itadmins] Loaded services file OK. Server role: ROLE_STANDALONE Press enter to see a dump of your service definitions [global] workgroup = CHEMBMB server string = %h server (Samba, Ubuntu) map to guest = Bad User obey pam restrictions = Yes passdb backend = ldapsam:ldaps://multivac.chem.umass.edu pam password change = Yes passwd program = /usr/bin/passwd %u passwd chat = *Enter\snew\s*\spassword:* %n\n *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* . unix password sync = Yes syslog = 255 log file = /var/log/samba/log.%m max log size = 1000 dns proxy = No ldap admin dn = cn=admin,dc=cns ldap group suffix = ou=Chemistry groups ldap suffix = ou=Chemistry,dc=cns ldap ssl = no ldap user suffix = ou=Chemistry users usershare allow guests = Yes panic action = /usr/share/samba/panic-action %d invalid users = root [homes] comment = Home Directories read only = No browseable = No [itadmins] comment = Shared directory for the IT group path = /home/itadmins valid users = spalmer, amckenzie read only = No create mask = 0665 directory mask = 0775 Any advice would be appreciated -- I'm well beyond my understanding of samba at the moment, and my understanding of samba is well beyond what it was 48 hours ago. At the moment neither server is mission critical, so tests that take them temporarily off-line are possible. By early next week things will be authenticating against the LDAP
Re: [Samba] Samba/LDAP share issue -- user with invalid SID
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 This fixed it! For the record, since I suspect this all gets archived and is searchable: here's the output of testparm. r...@sl1:/etc/samba# testparm Load smb config files from /etc/samba/smb.conf Processing section [homes] Processing section [itadmins] Loaded services file OK. Server role: ROLE_DOMAIN_PDC Press enter to see a dump of your service definitions [global] workgroup = CHEMBMB server string = %h server (Samba, Ubuntu) map to guest = Bad User obey pam restrictions = Yes passdb backend = ldapsam:ldaps://mv.chem.umass.edu pam password change = Yes passwd program = /usr/bin/passwd %u passwd chat = *Enter\snew\s*\spassword:* %n\n *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* . unix password sync = Yes syslog = 0 log file = /var/log/samba/log.%m max log size = 1000 domain logons = Yes preferred master = Yes domain master = Yes dns proxy = No ldap admin dn = cn=admin,dc=cns ldap group suffix = ou=Chemistry groups ldap suffix = ou=Chemistry,dc=cns ldap ssl = no ldap user suffix = ou=Chemistry users usershare allow guests = Yes panic action = /usr/share/samba/panic-action %d invalid users = root [homes] comment = Home Directories read only = No browseable = No valid users = %S [itadmins] comment = Shared directory for the IT group path = /home/itadmins valid users = amckenzie, jmaher, spalmer, bmbchem read only = No create mask = 0665 directory mask = 0775 browseable = No net getdomainsid returns: SID for domain SL1 is: S-1-5-21-1557386430-3227286864-500253393 SID for domain CHEMBMB is: S-1-5-21-4167008922-1292391803-4044586981 This is a standalone server providing file sharing, but not acting as a domain login controller: if I ever want that, I'll be building a different server for it. Thanks to tms3 for the instructions: I'd been spinning my wheels for two weeks before his (her?) advice! - -Alex McKenzie t...@tms3.com wrote: SNIP I do have smbldap tools installed and, as far as I can tell, set up. net join CHEMBMB -U Administrator returns cannot join as standalone machine. DUHHH! I'm sorry I'm a moron. OK, change that to preferred master = Yes domain logons =Yes domain master = Yes ---if this is the only DC in CHEMBMB. If you have another samba server os PDC in CHEMBMB then set that to no The LDAP structure may be the issue... I don't think computer accounts were ever set up on the current server (the last server was done by the guy who used to do my job, who left basically no documentation), because I wasn't aware they were necessary for this. We're not planning to use Samba/LDAP for windows authentication (only Mac, which doesn't require any sort of machine account, and linux, which also doesn't require a machine account), and if we do decide to do windows auth with Samba, it won't be using SL1. SL1 is only a file server -- it's for a small research group, and there will eventually be a bunch of them, possibly as many as 30-40. The system that LDAP runs on will eventually become a PDC, if necessary, but for now samba isn't even installed. If that's the issue, I'll feel stupid, but grateful that someone pointed me in the right direction. Let me know what to try next... as I said initially, I'm quite out of my depth. I haven't been testing with a Windows machine, and I did something to completely break SL1 yesterday, so I can't test it right now. (I changed something in smb.conf, and now samba won't start -- I need to figure out what that is before I go any further.) - -Alex t...@tms3.com wrote: How do I get the server to join CHEMBMB? I may have been hasty, but I don't have a proper domain to check at the moment. However: Do you have smbldap-tools installed and set up on sl1? Did you ever issue net join CHEMBMB -U Administrator from sl1? Check your ldap structure. You should have a computer with an LDIF that looks like this: dn: uid=zaphod$, ou=computers, dc=mydomain,dc=com sambaPrimaryGroupSID: S-1-5-21-1498823292-3530380933-788562438-515 sambaDomainName: MYDOMAIN displayName: zaphod$ objectClass: posixAccount objectClass: account objectClass: sambaSamAccount sambaLogonTime: 0 uid: zaphod$ uidNumber: 41328 cn: zaphod$ sambaLogoffTime: 2147483647 sambaPwdLastSet: 1267756286 sambaAcctFlags: [S ] loginShell: /bin/false gidNumber: 553 sambaPwdMustChange: 2147483647 sambaNTPassword: 3509E1ED1B7398134D9D429474E47386 sambaPwdCanChange: 0 sambaSID: S-1-5-21-1498823292-3530380933-788562438-83656 gecos: Computer description: Computer homeDirectory: /dev/null sambaKickoffTime: 2147483647 ALSO, I assume you are using some kind of
Re: [Samba] Samba/LDAP share issue -- user with invalid SID
2010/5/18 Alex McKenzie a...@chem.umass.edu: r...@sl1:/etc/samba# testparm Server role: ROLE_DOMAIN_PDC [global] workgroup = CHEMBMB domain logons = Yes preferred master = Yes domain master = Yes This is a standalone server providing file sharing, but not acting as a domain login controller: if I ever want that, I'll be building a different server for it. Hm!? Thanks to tms3 for the instructions: I'd been spinning my wheels for two weeks before his (her?) advice! Can you (or someone else) please explain this because either, I'm too dumb or too sleepy. From what I can see, your samba server IS a PDC. If you want SL1 to be a member of CHEMBMB, you need to: domain logons = No security = DOMAIN Then: # net rpc join ((or net ads join)) Am I missing something here? Thanks, Norberto -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba/LDAP share issue -- user with invalid SID
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 So no one has any guesses on this? I've found nothing new, so any help at all would be appreciated... - -Alex Alex McKenzie wrote: Greetings, While I've seen this referred to a lot of places, I haven't yet found a posted solution that works for me. Testing has been done from a Mac running OSX 10.5.8 Here's what I have so far: if anyone can give me a next step to test, I'd appreciate it. If anyone can give me a complete solution, I'd appreciate it even more. 8-) 1) An LDAP server mv, running Ubuntu 8.04 LTS. Samba is not installed. 2) A group file server sl1, running Ubuntu 8.04 LTS. LDAP is not installed. 3) Users can successfully authenticate to sl1 against LDAP when connecting via SSH. If their user directory exists (they have logged in via ssh) they can connect to their home directory through samba by connecting to smb://sl1.biochem.lgrt.nsm (a non-routable internal network), so I know samba is successfully connecting to the LDAP server. Traffic between the file server and the LDAP server is encrypted, as confirmed with tcpdump. 4) When attempting to access a group share, the connection is refused, and the following shows up in the samba logs: the share has users amckenzie and suzanne. [2010/05/06 15:51:24, 0] passdb/passdb.c:lookup_global_sam_name(596) User spalmer with invalid SID S-1-5-21-4167008922-1292391803-4044586981-21004 in passdb [2010/05/06 15:51:24, 0] passdb/passdb.c:lookup_global_sam_name(596) User amckenzie with invalid SID S-1-5-21-4167008922-1292391803-4044586981-21006 in passdb 5) All connections, successful or not, cause the following messages in the samba logs on sl1: [2010/05/06 16:31:33, 0] auth/auth_util.c:create_builtin_administrators(792) create_builtin_administrators: Failed to create Administrators [2010/05/06 16:31:33, 0] auth/auth_util.c:create_builtin_users(758) create_builtin_users: Failed to create Users [2010/05/06 16:31:33, 0] param/loadparm.c:widelinks_warning(5718) Share 'IPC$' has wide links and unix extensions enabled. These parameters are incompatible. Wide links will be disabled for this share. 6) On sl1, net getdomainsid returns the following: SID for domain SL1 is: S-1-5-21-1557386430-3227286864-500253393 SID for domain CHEMBMB is: S-1-5-21-4167008922-1292391803-4044586981 7) Users have both user and group SIDs in the form S-1-5-21-4167008922-1292391803-4044586981-[unique number], which is generated according to the rules the smbldap tools use. 8) testparm on sl1 returns the following: Load smb config files from /etc/samba/smb.conf Processing section [homes] Processing section [itadmins] Loaded services file OK. Server role: ROLE_STANDALONE Press enter to see a dump of your service definitions [global] workgroup = CHEMBMB server string = %h server (Samba, Ubuntu) map to guest = Bad User obey pam restrictions = Yes passdb backend = ldapsam:ldaps://multivac.chem.umass.edu pam password change = Yes passwd program = /usr/bin/passwd %u passwd chat = *Enter\snew\s*\spassword:* %n\n *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* . unix password sync = Yes syslog = 255 log file = /var/log/samba/log.%m max log size = 1000 dns proxy = No ldap admin dn = cn=admin,dc=cns ldap group suffix = ou=Chemistry groups ldap suffix = ou=Chemistry,dc=cns ldap ssl = no ldap user suffix = ou=Chemistry users usershare allow guests = Yes panic action = /usr/share/samba/panic-action %d invalid users = root [homes] comment = Home Directories read only = No browseable = No [itadmins] comment = Shared directory for the IT group path = /home/itadmins valid users = spalmer, amckenzie read only = No create mask = 0665 directory mask = 0775 Any advice would be appreciated -- I'm well beyond my understanding of samba at the moment, and my understanding of samba is well beyond what it was 48 hours ago. At the moment neither server is mission critical, so tests that take them temporarily off-line are possible. By early next week things will be authenticating against the LDAP server (we've got no choice -- the old LDAP server is failing fast), so I won't be able to take it down for testing. Thanks in advance, Alex McKenzie a...@chem.umass.edu -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.8 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEUEARECAAYFAkvxjXAACgkQWFYfIucpZ2OA2QCY5Ah0KkHwr2QGuCF/jCGf/dDr zwCfbXwvHr50j7vZZTuSJxLels7Izv8= =58HV -END PGP SIGNATURE- -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba/LDAP share issue -- user with invalid SID
SNIP SID for domain SL1 is: S-1-5-21-1557386430-3227286864-500253393 SID for domain CHEMBMB is: S-1-5-21-4167008922-1292391803-4044586981 7) Users have both user and group SIDs in the form S-1-5-21-4167008922-1292391803-4044586981-[unique number], which is generated according to the rules the smbldap tools use. You have two different domains. And the users are in CHEMBMB and the server is a member of SL1. Why not join SL1 to CHEMBMB? 8) testparm on sl1 returns the following: Load smb config files from /etc/samba/smb.conf Processing section [homes] Processing section [itadmins] Loaded services file OK. Server role: ROLE_STANDALONE Press enter to see a dump of your service definitions [global] workgroup = CHEMBMB server string = %h server (Samba, Ubuntu) map to guest = Bad User obey pam restrictions = Yes passdb backend = ldapsam:ldaps://multivac.chem.umass.edu pam password change = Yes passwd program = /usr/bin/passwd %u passwd chat = *Enter\snew\s*\spassword:* %n\n *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* . unix password sync = Yes syslog = 255 log file = /var/log/samba/log.%m max log size = 1000 dns proxy = No ldap admin dn = cn=admin,dc=cns ldap group suffix = ou=Chemistry groups ldap suffix = ou=Chemistry,dc=cns ldap ssl = no ldap user suffix = ou=Chemistry users usershare allow guests = Yes panic action = /usr/share/samba/panic-action %d invalid users = root [homes] comment = Home Directories read only = No browseable = No [itadmins] comment = Shared directory for the IT group path = /home/itadmins valid users = spalmer, amckenzie read only = No create mask = 0665 directory mask = 0775 Any advice would be appreciated -- I'm well beyond my understanding of samba at the moment, and my understanding of samba is well beyond what it was 48 hours ago. At the moment neither server is mission critical, so tests that take them temporarily off-line are possible. By early next week things will be authenticating against the LDAP server (we've got no choice -- the old LDAP server is failing fast), so I won't be able to take it down for testing. Thanks in advance, Alex McKenzie a...@chem.umass.edu -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.8 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEUEARECAAYFAkvxjXAACgkQWFYfIucpZ2OA2QCY5Ah0KkHwr2QGuCF/jCGf/dDr zwCfbXwvHr50j7vZZTuSJxLels7Izv8= =58HV -END PGP SIGNATURE- -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] samba, ldap, kerberos
samba-requ...@lists.samba.org wrote: Subject: Re: [Samba] samba, ldap, kerberos From: Natxo Asenjo natxo.ase...@gmail.com Date: Mon, 15 Feb 2010 09:42:18 +0100 To: Samba Mail List samba@lists.samba.org To: Samba Mail List samba@lists.samba.org On Mon, Feb 15, 2010 at 7:27 AM, Pramathesh Ambasta pramathesh.amba...@gmail.com wrote: Though I am not new to samba, I am new to this so will really appreciate guidance. If I want to implement a single sign on scheme using openldap and kerberos on a linux server, how can samba be integrated into this scheme? As far as I can understand from the docs, the discussions on samba and kerberos deal with samba integration into an active directory domain. Does that mean that what I am talking about cannot be done? take a look at samba 4. Check the installation instructions on the wiki: wiki.samba.org. As they state, it is not production ready (yet) but I find it quite stable. natxo THanks for your response Pramathesh -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] samba, ldap, kerberos
On Mon, Feb 15, 2010 at 7:27 AM, Pramathesh Ambasta pramathesh.amba...@gmail.com wrote: Though I am not new to samba, I am new to this so will really appreciate guidance. If I want to implement a single sign on scheme using openldap and kerberos on a linux server, how can samba be integrated into this scheme? As far as I can understand from the docs, the discussions on samba and kerberos deal with samba integration into an active directory domain. Does that mean that what I am talking about cannot be done? take a look at samba 4. Check the installation instructions on the wiki: wiki.samba.org. As they state, it is not production ready (yet) but I find it quite stable. natxo -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba+LDAP + Primary GIDs
Kris Lou wrote: PDC Results: SID for local machine KIF is: S-1-5-21-1297059763-2273326489-166094 SID for domain MLC is: S-1-5-21-957249707-1866601452-441284377 Openfiler Results: SID for local machine VADER is: S-1-5-21-2859034502-3981372097-2611941478 SID for domain MLC is: S-1-5-21-957249707-1866601452-441284377 As you can see, the domain SIDs match. Also, here's the global portion of the Openfiler smb.conf and an example share (portions edited). About this - I can obviously edit the smb.conf, but it gets overwritten by the Openfiler gui whenever changes are made. Looking at the file, I'm not understanding where the group security settings are being placed. It looks like Openfiler runs with Samba 3.2.13 Is nss-ldap installed on the Openfiler? If so, is it pointing to the LDAP server on the Samba+LDAP machine? -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba+LDAP + Primary GIDs
ldap.conf/nsswitch.conf/ldap.secrets all exist. Something might be wrong with the set up on the PDC side - when I run net groupmap list , all of my mappings correctly show up. But when I run a net rpc group list on the PDC, only 2 groups (most recently created) are displayed. Kris Lou k...@themusiclink.net On Fri, Jan 29, 2010 at 2:20 PM, Rob Shinn mor...@tuxedo.darktech.orgwrote: Kris Lou wrote: PDC Results: SID for local machine KIF is: S-1-5-21-1297059763-2273326489-166094 SID for domain MLC is: S-1-5-21-957249707-1866601452-441284377 Openfiler Results: SID for local machine VADER is: S-1-5-21-2859034502-3981372097-2611941478 SID for domain MLC is: S-1-5-21-957249707-1866601452-441284377 As you can see, the domain SIDs match. Also, here's the global portion of the Openfiler smb.conf and an example share (portions edited). About this - I can obviously edit the smb.conf, but it gets overwritten by the Openfiler gui whenever changes are made. Looking at the file, I'm not understanding where the group security settings are being placed. It looks like Openfiler runs with Samba 3.2.13 Is nss-ldap installed on the Openfiler? If so, is it pointing to the LDAP server on the Samba+LDAP machine? -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba+LDAP + Primary GIDs
PDC Results: SID for local machine KIF is: S-1-5-21-1297059763-2273326489-166094 SID for domain MLC is: S-1-5-21-957249707-1866601452-441284377 Openfiler Results: SID for local machine VADER is: S-1-5-21-2859034502-3981372097-2611941478 SID for domain MLC is: S-1-5-21-957249707-1866601452-441284377 As you can see, the domain SIDs match. Also, here's the global portion of the Openfiler smb.conf and an example share (portions edited). About this - I can obviously edit the smb.conf, but it gets overwritten by the Openfiler gui whenever changes are made. Looking at the file, I'm not understanding where the group security settings are being placed. It looks like Openfiler runs with Samba 3.2.13 # Global settings [global] workgroup = MLC server string = Openfiler NAS netbios name = VADER wins server = pdc.ip.add.ress //edited password server = pdc.ip.add.ress //edited realm = ; interfaces = 192.168.12.2/24 192.168.13.2/24 ; remote announce = 92.168.1.255 192.168.2.44 ; domain logons = yes log file = /var/log/samba/%m.log max log size = 0 ; hosts deny = all map to guest = Bad User guest account = ofguest display charset = LOCALE unix charset = UTF-8 dos charset = CP850 ldap ssl = no ldap admin dn = //edited ldap suffix = //edited encrypt passwords = yes security = user passdb backend = ldapsam:ldap://pdc.ip.add.ress //edited ldap user suffix = ou=People ldap group suffix = ou=Group smb passwd file = /etc/samba/smbpasswd unix password sync = yes passwd program = /usr/bin/passwd %u passwd chat = *New*password* %n\n *Retype*new*password* %n\n *passwd:*all*authentication*tokens*updated*successfully* pam password change = yes ; username map = /etc/samba/smbusers obey pam restrictions = yes load printers = no domain master = no local master = no preferred master = no os level = 0 [Purchasing] comment = Purchasing Share path = /mnt/fileshare/Purchasing/Purchasing read only = no writeable = yes oplocks = yes level2 oplocks = yes force security mode = 0 dos filemode = yes dos filetime resolution = yes dos filetimes = yes fake directory create times = yes browseable = yes csc policy = manual share modes = yes veto oplock files = /*.mdb/*.MDB/*.dbf/*.DBF/ veto files = /*:Zone.Identifier:*/ create mode = 0770 directory mode = 2770 printable = no guest ok = no hosts allow = 23.23.23.0/24 hosts readonly allow = store dos attributes = yes map acl inherit = yes vfs objects = shadow_copy Kris Lou k...@themusiclink.net On Sat, Jan 23, 2010 at 3:34 PM, Rob Shinn mor...@tuxedo.darktech.orgwrote: What does your 'net getdomainsid' or 'net getlocalsid' output look like? Kris Lou wrote: Hi Rob, Thanks for the quick reply - Here it is (mostly with some cut and paste). CentOS 5.4 Samba 3.2.15 dn: cn=Domain Admins,ou=Group,dc=themusiclink,dc=net description: Netbios Domain Administrators sambaSID: S-1-5-21-957249707-1866601452-441284377-512 sambaGroupType: 2 displayName: Domain Admins structuralObjectClass: posixGroup entryUUID: 1a60146c-cfad-102d-96b0-6fd9fc452718 creatorsName: cn=Manager,dc=themusiclink,dc=net createTimestamp: 20090507234700Z gidNumber: 512 cn: Domain Admins userPassword:: e2NyeXB0fXg= objectClass: posixGroup objectClass: top objectClass: sambaGroupMapping memberUid: memberUid: memberUid: entryCSN: 20091028001757Z#01#00#00 modifiersName: cn=Manager,dc=themusiclink,dc=net modifyTimestamp: 20091028001757Z dn: cn=Domain Users,ou=Group,dc=themusiclink,dc=net description: Netbios Domain Users sambaSID: S-1-5-21-957249707-1866601452-441284377-513 sambaGroupType: 2 displayName: Domain Users structuralObjectClass: posixGroup entryUUID: 1a7ebb60-cfad-102d-96b1-6fd9fc452718 creatorsName: cn=Manager,dc=themusiclink,dc=net createTimestamp: 20090507234700Z gidNumber: 513 cn: Domain Users userPassword:: e2NyeXB0fXg= objectClass: posixGroup objectClass: top objectClass: sambaGroupMapping memberUid: memberUid: entryCSN: 20091215225639Z#01#00#00 modifiersName: cn=Manager,dc=themusiclink,dc=net modifyTimestamp: 20091215225639Z dn: cn=Domain Guests,ou=Group,dc=themusiclink,dc=net description: Netbios Domain Guests Users sambaSID: S-1-5-21-957249707-1866601452-441284377-514 sambaGroupType: 2 displayName: Domain Guests structuralObjectClass: posixGroup entryUUID: 1a845502-cfad-102d-96b2-6fd9fc452718 creatorsName: cn=Manager,dc=themusiclink,dc=net createTimestamp: 20090507234700Z objectClass: posixGroup objectClass: top objectClass: sambaGroupMapping gidNumber: 514 cn: Domain Guests userPassword:: e2NyeXB0fXg= memberUid: design memberUid: fedex memberUid: infobox memberUid: mailbox memberUid: test entryCSN: 20090521203023Z#02#00#00 modifiersName:
Re: [Samba] Samba+LDAP + Primary GIDs
What does your 'net getdomainsid' or 'net getlocalsid' output look like? Kris Lou wrote: Hi Rob, Thanks for the quick reply - Here it is (mostly with some cut and paste). CentOS 5.4 Samba 3.2.15 dn: cn=Domain Admins,ou=Group,dc=themusiclink,dc=net description: Netbios Domain Administrators sambaSID: S-1-5-21-957249707-1866601452-441284377-512 sambaGroupType: 2 displayName: Domain Admins structuralObjectClass: posixGroup entryUUID: 1a60146c-cfad-102d-96b0-6fd9fc452718 creatorsName: cn=Manager,dc=themusiclink,dc=net createTimestamp: 20090507234700Z gidNumber: 512 cn: Domain Admins userPassword:: e2NyeXB0fXg= objectClass: posixGroup objectClass: top objectClass: sambaGroupMapping memberUid: memberUid: memberUid: entryCSN: 20091028001757Z#01#00#00 modifiersName: cn=Manager,dc=themusiclink,dc=net modifyTimestamp: 20091028001757Z dn: cn=Domain Users,ou=Group,dc=themusiclink,dc=net description: Netbios Domain Users sambaSID: S-1-5-21-957249707-1866601452-441284377-513 sambaGroupType: 2 displayName: Domain Users structuralObjectClass: posixGroup entryUUID: 1a7ebb60-cfad-102d-96b1-6fd9fc452718 creatorsName: cn=Manager,dc=themusiclink,dc=net createTimestamp: 20090507234700Z gidNumber: 513 cn: Domain Users userPassword:: e2NyeXB0fXg= objectClass: posixGroup objectClass: top objectClass: sambaGroupMapping memberUid: memberUid: entryCSN: 20091215225639Z#01#00#00 modifiersName: cn=Manager,dc=themusiclink,dc=net modifyTimestamp: 20091215225639Z dn: cn=Domain Guests,ou=Group,dc=themusiclink,dc=net description: Netbios Domain Guests Users sambaSID: S-1-5-21-957249707-1866601452-441284377-514 sambaGroupType: 2 displayName: Domain Guests structuralObjectClass: posixGroup entryUUID: 1a845502-cfad-102d-96b2-6fd9fc452718 creatorsName: cn=Manager,dc=themusiclink,dc=net createTimestamp: 20090507234700Z objectClass: posixGroup objectClass: top objectClass: sambaGroupMapping gidNumber: 514 cn: Domain Guests userPassword:: e2NyeXB0fXg= memberUid: design memberUid: fedex memberUid: infobox memberUid: mailbox memberUid: test entryCSN: 20090521203023Z#02#00#00 modifiersName: cn=Manager,dc=themusiclink,dc=net modifyTimestamp: 20090521203023Z dn: cn=Domain Computers,ou=Group,dc=themusiclink,dc=net objectClass: top objectClass: posixGroup objectClass: sambaGroupMapping gidNumber: 515 cn: Domain Computers description: Netbios Domain Computers accounts sambaSID: S-1-5-21-957249707-1866601452-441284377-515 sambaGroupType: 2 displayName: Domain Computers structuralObjectClass: posixGroup entryUUID: 1a8ab492-cfad-102d-96b3-6fd9fc452718 creatorsName: cn=Manager,dc=themusiclink,dc=net createTimestamp: 20090507234700Z entryCSN: 20090507234700Z#04#00#00 modifiersName: cn=Manager,dc=themusiclink,dc=net modifyTimestamp: 20090507234700Z dn: cn=Administrators,ou=Group,dc=themusiclink,dc=net description: Netbios Domain Members can fully administer the computer/sambaDom ainName sambaSID: S-1-5-32-544 sambaGroupType: 5 displayName: Administrators structuralObjectClass: posixGroup entryUUID: 1a905d16-cfad-102d-96b4-6fd9fc452718 creatorsName: cn=Manager,dc=themusiclink,dc=net createTimestamp: 20090507234700Z objectClass: top objectClass: posixGroup objectClass: sambaGroupMapping gidNumber: 544 cn: Administrators userPassword: memberUid: administrator memberUid: root entryCSN: 20090516003337Z#01#00#00 modifiersName: cn=Manager,dc=themusiclink,dc=net modifyTimestamp: 20090516003337Z dn: sambaDomainName=MLC,dc=themusiclink,dc=net objectClass: top objectClass: sambaDomain objectClass: sambaUnixIdPool sambaDomainName: MLC sambaSID: S-1-5-21-957249707-1866601452-441284377 structuralObjectClass: sambaDomain entryUUID: 1aab5d3c-cfad-102d-96b9-6fd9fc452718 creatorsName: cn=Manager,dc=themusiclink,dc=net createTimestamp: 20090507234701Z sambaLockoutThreshold: 0 sambaRefuseMachinePwdChange: 0 sambaMinPwdLength: 5 sambaLogonToChgPwd: 0 sambaForceLogoff: -1 sambaMinPwdAge: 0 sambaMaxPwdAge: -1 sambaPwdHistoryLength: 0 gidNumber: 1033 uidNumber: 1043 sambaNextRid: 1100 entryCSN: 20100104223853Z#02#00#00 modifiersName: cn=Manager,dc=themusiclink,dc=net modifyTimestamp: 20100104223853Z n: cn=TML.Accounting,ou=Group,dc=themusiclink,dc=net objectClass: posixGroup objectClass: top objectClass: sambaGroupMapping cn: TML.Accounting userPassword:: e2NyeXB0fXg= gidNumber: 1145 structuralObjectClass: posixGroup entryUUID: 90185732-cfad-102d-97b9-6fd9fc452718 creatorsName: cn=Manager,dc=themusiclink,dc=net createTimestamp: 20090507235018Z sambaSID: S-1-5-21-957249707-1866601452-441284377-1011 sambaGroupType: 2 displayName: TML Accounting description: Domain Unix group memberUid: mailman memberUid: mtong memberUid: psmith memberUid: spatrino memberUid: klou memberUid: tocampo entryCSN: 20091202193050Z#03#00#00 modifiersName: cn=Manager,dc=themusiclink,dc=net modifyTimestamp: 20091202193050Z dn: cn=TML.CustomerService,ou=Group,dc=themusiclink,dc=net objectClass: posixGroup objectClass: top objectClass:
Re: [Samba] Samba+LDAP + Primary GIDs
Kris Lou wrote: I've checked my ldif's - the groups exist, the users exists as memberids, but it looks like samba is only checking the gid? Can you post the LDIFs of your groups (you can edit out any incriminating evidence ;)? Sounds like your groups are lacking correct sambaSID or sambaGroupType attributes. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba+LDAP + Primary GIDs
Hi Rob, Thanks for the quick reply - Here it is (mostly with some cut and paste). CentOS 5.4 Samba 3.2.15 dn: cn=Domain Admins,ou=Group,dc=themusiclink,dc=net description: Netbios Domain Administrators sambaSID: S-1-5-21-957249707-1866601452-441284377-512 sambaGroupType: 2 displayName: Domain Admins structuralObjectClass: posixGroup entryUUID: 1a60146c-cfad-102d-96b0-6fd9fc452718 creatorsName: cn=Manager,dc=themusiclink,dc=net createTimestamp: 20090507234700Z gidNumber: 512 cn: Domain Admins userPassword:: e2NyeXB0fXg= objectClass: posixGroup objectClass: top objectClass: sambaGroupMapping memberUid: memberUid: memberUid: entryCSN: 20091028001757Z#01#00#00 modifiersName: cn=Manager,dc=themusiclink,dc=net modifyTimestamp: 20091028001757Z dn: cn=Domain Users,ou=Group,dc=themusiclink,dc=net description: Netbios Domain Users sambaSID: S-1-5-21-957249707-1866601452-441284377-513 sambaGroupType: 2 displayName: Domain Users structuralObjectClass: posixGroup entryUUID: 1a7ebb60-cfad-102d-96b1-6fd9fc452718 creatorsName: cn=Manager,dc=themusiclink,dc=net createTimestamp: 20090507234700Z gidNumber: 513 cn: Domain Users userPassword:: e2NyeXB0fXg= objectClass: posixGroup objectClass: top objectClass: sambaGroupMapping memberUid: memberUid: entryCSN: 20091215225639Z#01#00#00 modifiersName: cn=Manager,dc=themusiclink,dc=net modifyTimestamp: 20091215225639Z dn: cn=Domain Guests,ou=Group,dc=themusiclink,dc=net description: Netbios Domain Guests Users sambaSID: S-1-5-21-957249707-1866601452-441284377-514 sambaGroupType: 2 displayName: Domain Guests structuralObjectClass: posixGroup entryUUID: 1a845502-cfad-102d-96b2-6fd9fc452718 creatorsName: cn=Manager,dc=themusiclink,dc=net createTimestamp: 20090507234700Z objectClass: posixGroup objectClass: top objectClass: sambaGroupMapping gidNumber: 514 cn: Domain Guests userPassword:: e2NyeXB0fXg= memberUid: design memberUid: fedex memberUid: infobox memberUid: mailbox memberUid: test entryCSN: 20090521203023Z#02#00#00 modifiersName: cn=Manager,dc=themusiclink,dc=net modifyTimestamp: 20090521203023Z dn: cn=Domain Computers,ou=Group,dc=themusiclink,dc=net objectClass: top objectClass: posixGroup objectClass: sambaGroupMapping gidNumber: 515 cn: Domain Computers description: Netbios Domain Computers accounts sambaSID: S-1-5-21-957249707-1866601452-441284377-515 sambaGroupType: 2 displayName: Domain Computers structuralObjectClass: posixGroup entryUUID: 1a8ab492-cfad-102d-96b3-6fd9fc452718 creatorsName: cn=Manager,dc=themusiclink,dc=net createTimestamp: 20090507234700Z entryCSN: 20090507234700Z#04#00#00 modifiersName: cn=Manager,dc=themusiclink,dc=net modifyTimestamp: 20090507234700Z dn: cn=Administrators,ou=Group,dc=themusiclink,dc=net description: Netbios Domain Members can fully administer the computer/sambaDom ainName sambaSID: S-1-5-32-544 sambaGroupType: 5 displayName: Administrators structuralObjectClass: posixGroup entryUUID: 1a905d16-cfad-102d-96b4-6fd9fc452718 creatorsName: cn=Manager,dc=themusiclink,dc=net createTimestamp: 20090507234700Z objectClass: top objectClass: posixGroup objectClass: sambaGroupMapping gidNumber: 544 cn: Administrators userPassword: memberUid: administrator memberUid: root entryCSN: 20090516003337Z#01#00#00 modifiersName: cn=Manager,dc=themusiclink,dc=net modifyTimestamp: 20090516003337Z dn: sambaDomainName=MLC,dc=themusiclink,dc=net objectClass: top objectClass: sambaDomain objectClass: sambaUnixIdPool sambaDomainName: MLC sambaSID: S-1-5-21-957249707-1866601452-441284377 structuralObjectClass: sambaDomain entryUUID: 1aab5d3c-cfad-102d-96b9-6fd9fc452718 creatorsName: cn=Manager,dc=themusiclink,dc=net createTimestamp: 20090507234701Z sambaLockoutThreshold: 0 sambaRefuseMachinePwdChange: 0 sambaMinPwdLength: 5 sambaLogonToChgPwd: 0 sambaForceLogoff: -1 sambaMinPwdAge: 0 sambaMaxPwdAge: -1 sambaPwdHistoryLength: 0 gidNumber: 1033 uidNumber: 1043 sambaNextRid: 1100 entryCSN: 20100104223853Z#02#00#00 modifiersName: cn=Manager,dc=themusiclink,dc=net modifyTimestamp: 20100104223853Z n: cn=TML.Accounting,ou=Group,dc=themusiclink,dc=net objectClass: posixGroup objectClass: top objectClass: sambaGroupMapping cn: TML.Accounting userPassword:: e2NyeXB0fXg= gidNumber: 1145 structuralObjectClass: posixGroup entryUUID: 90185732-cfad-102d-97b9-6fd9fc452718 creatorsName: cn=Manager,dc=themusiclink,dc=net createTimestamp: 20090507235018Z sambaSID: S-1-5-21-957249707-1866601452-441284377-1011 sambaGroupType: 2 displayName: TML Accounting description: Domain Unix group memberUid: mailman memberUid: mtong memberUid: psmith memberUid: spatrino memberUid: klou memberUid: tocampo entryCSN: 20091202193050Z#03#00#00 modifiersName: cn=Manager,dc=themusiclink,dc=net modifyTimestamp: 20091202193050Z dn: cn=TML.CustomerService,ou=Group,dc=themusiclink,dc=net objectClass: posixGroup objectClass: top objectClass: sambaGroupMapping cn: TML.CustomerService userPassword:: e2NyeXB0fXg= gidNumber: 1030
Re: [Samba] samba+ldap two domains db sync?
Alberto Moreno wrote: Is possible to sync both ldap servers every time I change something in ldap? or a better way to do it?Alberto Moreno wrote: You could probably do this with OpenLDAP's syncrepl replication facility. You may also wish to consider combining everything into one LDAP database, containing two different Samba domains, with a common OU for user accounts. You could keep the LDAP servers as they are, just set up one as a secondary LDAP server using syncrepl. That would have the advantage of centralizing everything and ease user administration, since users created in one domain would automatically be included in both. Without knowing the specifics, however, it's hard to say to which way would be best. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] samba+ldap two domains db sync?
Rob, I am curious if you think an extension of this idea might work to centrally control and manage many domains? Mothership LDAP [Hosted Highly Redundant setup] - Domain 1 (SyncRepl only portion of LDAP) - Domain 2 (SyncRepl only portion of LDAP) ... - Domain 26 (SyncRepl only portion of LDAP) Ideally each local subnet might also be VPNed up to the mothership so that local machines could still authenticate (slowly) if the local PDC were unavailable. Long term each domain would be Samba4 based and fully AD ready. Would love to discuss this idea with someone familiar with multi-domain setups like this. thanks, Larry -Original Message- From: samba-boun...@lists.samba.org [mailto:samba-boun...@lists.samba.org] On Behalf Of Rob Shinn Sent: Monday, January 11, 2010 9:33 AM To: Alberto Moreno Cc: samba@lists.samba.org Subject: Re: [Samba] samba+ldap two domains db sync? Alberto Moreno wrote: Is possible to sync both ldap servers every time I change something in ldap? or a better way to do it?Alberto Moreno wrote: You could probably do this with OpenLDAP's syncrepl replication facility. You may also wish to consider combining everything into one LDAP database, containing two different Samba domains, with a common OU for user accounts. You could keep the LDAP servers as they are, just set up one as a secondary LDAP server using syncrepl. That would have the advantage of centralizing everything and ease user administration, since users created in one domain would automatically be included in both. Without knowing the specifics, however, it's hard to say to which way would be best. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] samba+ldap two domains db sync?
Alberto Moreno wrote: Is possible to sync both ldap servers every time I change something in ldap? or a better way to do it?Alberto Moreno wrote: You could probably do this with OpenLDAP's syncrepl replication facility. You may also wish to consider combining everything into one LDAP database, containing two different Samba domains, with a common OU for user accounts. You could keep the LDAP servers as they are, just set up one as a secondary LDAP server using syncrepl. That would have the advantage of centralizing everything and ease user administration, since users created in one domain would automatically be included in both. Without knowing the specifics, however, it's hard to say to which way would be best. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] samba+ldap two domains db sync?
On 01/11/10 09:31, Rob Shinn wrote: Alberto Moreno wrote: Is possible to sync both ldap servers every time I change something in ldap? or a better way to do it?Alberto Moreno wrote: You could probably do this with OpenLDAP's syncrepl replication facility. You may also wish to consider combining everything into one LDAP database, containing two different Samba domains, with a common OU for user accounts. You could keep the LDAP servers as they are, just set up one as a secondary LDAP server using syncrepl. That would have the advantage of centralizing everything and ease user administration, since users created in one domain would automatically be included in both. Without knowing the specifics, however, it's hard to say to which way would be best. I don't think one user in LDAP could be in two different domains- each user has to have a distinct SambaSID entry. I use Sun's Directory Server for my LDAP backend- it was already in place for another project which is why I went with it rather than with OpenLDAP. It supports replication between ldap servers and has a GUI for setting up the replication parameters.Although, too be fair, there is a bit of a learning curve with this product. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] samba+ldap two domains db sync?
Gaiseric Vandal wrote: I don't think one user in LDAP could be in two different domains- each user has to have a distinct SambaSID entry. Ooomph! *slaps forehead*. You're right. That's what I get for posting before I've had my coffeee. I stand by my original statement that OpenLDAP's syncrepl would work, though. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] samba+ldap two domains db sync?
Thanks people. I will read about synrepl and see how it works, thanks all of u for your tips!!! See u!!! On Mon, Jan 11, 2010 at 6:49 AM, Rob Shinn mor...@tuxedo.darktech.org wrote: Gaiseric Vandal wrote: I don't think one user in LDAP could be in two different domains- each user has to have a distinct SambaSID entry. Ooomph! *slaps forehead*. You're right. That's what I get for posting before I've had my coffeee. I stand by my original statement that OpenLDAP's syncrepl would work, though. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- LIving the dream... -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba + LDAP: Changing user's group
Bump Wes Deviers wrote: I'm having this same problem, but it's new. Using 3.4.2 Debian packages, recently upgraded. I never had any type of LDAP group caching problem until the last 2 weeks. I added a user to an LDAP group as normal because they needed access to a new share. Cleared the nscd caches as normal. The service definition uses force group = +groupName valid users = @admins, @groupName write list = @admins, @groupName All of the people previously in @groupName retain access to the share. The person I just added cannot access it. getent, groups, etc all return the correct group membership. If I add the account explicitly to valid users write list, it works as soon as I do an smbd reload. Did some behavior change or have we stumbled on a new bug? Wes On Monday 30 November 2009 07:29:33 am davefu wrote: Hi, thanks for answering. I have only 1 Samba server. When I mentioned changes on groups, I meant on LDAP server. LDAP is used on both system and samba environments. When changing groups on users, those changes are instant on the system environment, but not on Samba. - I create a new Folder A, with full permissions for Group A - User B (belonging to group B), logs via SSH to the server, and can't access the Folder A. - User B logs via Samba using his Windows desktop machine, and can't access the Folder A (previously configured inside a Samba Resource). - Now I add User B to Group A via LDAP. He belongs now to Group A and Group B. - Getent group | grep User B shows correctly both groups on the user. - User B correctly access Folder A, write files, etc via console, ssh, or any kind of regular system authentication (since system is using pam libraries, configured to use LDAP as backend). - User B still can't access Folder A in any way. Samba has cached User B credentials, and haven't checked LDAP again for a while. The only option is to restart Samba, or wait randomly until Samba refreshes / syncs LDAP info about that user again. Hope this little story explains my problem better. Sorry for my english. Thanks! -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- View this message in context: http://old.nabble.com/Samba-%2B-LDAP%3A-Changing-user%27s-group-tp26421317p26870920.html Sent from the Samba - General mailing list archive at Nabble.com. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba + LDAP: Changing user's group
I'm having this same problem, but it's new. Using 3.4.2 Debian packages, recently upgraded. I never had any type of LDAP group caching problem until the last 2 weeks. I added a user to an LDAP group as normal because they needed access to a new share. Cleared the nscd caches as normal. The service definition uses force group = +groupName valid users = @admins, @groupName write list = @admins, @groupName All of the people previously in @groupName retain access to the share. The person I just added cannot access it. getent, groups, etc all return the correct group membership. If I add the account explicitly to valid users write list, it works as soon as I do an smbd reload. Did some behavior change or have we stumbled on a new bug? Wes On Monday 30 November 2009 07:29:33 am davefu wrote: Hi, thanks for answering. I have only 1 Samba server. When I mentioned changes on groups, I meant on LDAP server. LDAP is used on both system and samba environments. When changing groups on users, those changes are instant on the system environment, but not on Samba. - I create a new Folder A, with full permissions for Group A - User B (belonging to group B), logs via SSH to the server, and can't access the Folder A. - User B logs via Samba using his Windows desktop machine, and can't access the Folder A (previously configured inside a Samba Resource). - Now I add User B to Group A via LDAP. He belongs now to Group A and Group B. - Getent group | grep User B shows correctly both groups on the user. - User B correctly access Folder A, write files, etc via console, ssh, or any kind of regular system authentication (since system is using pam libraries, configured to use LDAP as backend). - User B still can't access Folder A in any way. Samba has cached User B credentials, and haven't checked LDAP again for a while. The only option is to restart Samba, or wait randomly until Samba refreshes / syncs LDAP info about that user again. Hope this little story explains my problem better. Sorry for my english. Thanks! -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba + LDAP: Changing user's group
Hi, thanks for answering. I have only 1 Samba server. When I mentioned changes on groups, I meant on LDAP server. LDAP is used on both system and samba environments. When changing groups on users, those changes are instant on the system environment, but not on Samba. - I create a new Folder A, with full permissions for Group A - User B (belonging to group B), logs via SSH to the server, and can't access the Folder A. - User B logs via Samba using his Windows desktop machine, and can't access the Folder A (previously configured inside a Samba Resource). - Now I add User B to Group A via LDAP. He belongs now to Group A and Group B. - Getent group | grep User B shows correctly both groups on the user. - User B correctly access Folder A, write files, etc via console, ssh, or any kind of regular system authentication (since system is using pam libraries, configured to use LDAP as backend). - User B still can't access Folder A in any way. Samba has cached User B credentials, and haven't checked LDAP again for a while. The only option is to restart Samba, or wait randomly until Samba refreshes / syncs LDAP info about that user again. Hope this little story explains my problem better. Sorry for my english. Thanks! However, sato x wrote: On Thu, Nov 19, 2009 at 7:28 PM, davefu davef...@gmail.com wrote: Hello fellas. I'm facing this problem today: My Samba PDC is using LDAP as a backend, and its working really good. The problem comes when I change the groups on one of the users. System shows the change correctly by using 'getent group' and if I log as that user the behavior correct when trying the new group permissions. OK. Samba, however, doesn't seem to get those changes immediately (it syncs hours later, totally random amount of time). I've tried disabling NSCD but no luck. I've read somewhere that restarting Samba service forces Samba to refresh the users credentials, but thats not possible to do everytime a user needs a change in his groups. I'm wondering if there is some way to refresh Samba cached credentials. Do you mean that you have other samba server (as file server) running and uses LDAP as its backend? When you change the group(s), the changing doesn't affect this file server immediately? If this is the case, I used to reload nscd to refresh its cache, since start-stop or restart nscd brings no effect at all. Hope it can help - and pardon my language. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- View this message in context: http://old.nabble.com/Samba-%2B-LDAP%3A-Changing-user%27s-group-tp26421317p26573907.html Sent from the Samba - General mailing list archive at Nabble.com. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba + LDAP: Changing user's group
On Thu, Nov 19, 2009 at 7:28 PM, davefu davef...@gmail.com wrote: Hello fellas. I'm facing this problem today: My Samba PDC is using LDAP as a backend, and its working really good. The problem comes when I change the groups on one of the users. System shows the change correctly by using 'getent group' and if I log as that user the behavior correct when trying the new group permissions. OK. Samba, however, doesn't seem to get those changes immediately (it syncs hours later, totally random amount of time). I've tried disabling NSCD but no luck. I've read somewhere that restarting Samba service forces Samba to refresh the users credentials, but thats not possible to do everytime a user needs a change in his groups. I'm wondering if there is some way to refresh Samba cached credentials. Do you mean that you have other samba server (as file server) running and uses LDAP as its backend? When you change the group(s), the changing doesn't affect this file server immediately? If this is the case, I used to reload nscd to refresh its cache, since start-stop or restart nscd brings no effect at all. Hope it can help - and pardon my language. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba + LDAP error in windows xp while ACL
for php5 ii smbldap-tools 0.9.4-1 Scripts to manage Unix and Samba accounts st r...@sangam:~# dpkg -l | grep acl ii acl 2.2.45-1 Access control list utilities ii libacl1 2.2.45-1 Access control list shared library sys...@sangam:~$ cat /etc/lsb-release DISTRIB_ID=Ubuntu DISTRIB_RELEASE=8.04 DISTRIB_CODENAME=hardy DISTRIB_DESCRIPTION=Ubuntu 8.04.1 any logs you from me ? C U Next Mail Raj Take Care HAVE A NICE DAY Mobile : 98418 78056 Office No : 044- 28285571, 512 , 575 Office No : 044- 30212881 --- On Tue, 17/11/09, vishesh kumar linuxtovish...@gmail.com wrote: From: vishesh kumar linuxtovish...@gmail.com Subject: Re: [Samba] Samba + LDAP error in windows xp while ACL To: D.Rajan rajand_2...@yahoo.com Cc: samba@lists.samba.org Date: Tuesday, 17 November, 2009, 3:09 PM Dear rajan Did you set ldap admin password for samba by using following command. root#smbpasswd -w ldap admin password By the way you can also use pdbedit -Lv command to ensure samba is communicating to ldap properly. Thanks On Tue, Nov 17, 2009 at 10:55 AM, D.Rajan rajand_2...@yahoo.com wrote: Dear All, What the files i need to be check to solve the problem. i am having PDC BDC r...@sangam:/var/log/samba# net getlocalsid SID for domain SANGAM is: S-1-5-21-4020846335-601350461-1468625926 r...@vaigai:~# net getlocalsid SID for domain VAIGAI is: S-1-5-21-4020846335-601350461-1468625926 Error while ACL from windows XP: ys...@sangam:/var/log/samba$ tailf log.kh-sys-02635 [2009/11/16 19:12:43, 0] printing/print_cups.c:cups_connect(69) Unable to connect to CUPS server localhost:631 - Connection refused [2009/11/17 09:32:28, 0] auth/auth_util.c:create_builtin_users(758) create_builtin_users: Failed to create Users [2009/11/17 09:32:32, 0] auth/auth_util.c:create_builtin_users(758) create_builtin_users: Failed to create Users [2009/11/17 09:32:49, 0] auth/auth_util.c:create_builtin_users(758) create_builtin_users: Failed to create Users [2009/11/17 09:32:49, 0] auth/auth_util.c:create_builtin_users(758) create_builtin_users: Failed to create Users [2009/11/17 10:26:38, 0] auth/auth_util.c:create_builtin_users(758) create_builtin_users: Failed to create Users [2009/11/17 10:27:03, 0] auth/auth_util.c:create_builtin_users(758) create_builtin_users: Failed to create Users [2009/11/17 10:27:29, 0] smbd/posix_acls.c:create_canon_ace_lists(1438) create_canon_ace_lists: unable to map SID S-1-5-21-4020846335-601350461-1468625926-3174 to uid or gid. As per your instruction i convert one systems from our domain to workgroup and restart the system and once again i convert to my domain, eventhough i am not able to give permission from my system. 1. In My client Xp system what i want to check regarding SID infomation ? 2. How to solve the unable to map SID error in server. I am having more than 2500 client system. C U Next Mail Raj Take Care HAVE A NICE DAY --- On Sun, 8/11/09, D.Rajan rajand_2...@yahoo.com wrote: From: D.Rajan rajand_2...@yahoo.com Subject: Samba + LDAP error in windows xp while ACL To: samba@lists.samba.org Date: Sunday, 8 November, 2009, 6:08 PM Dear all, I am using Samba + PDC LDAP in a single server. From last month onward i am facing problem When I set manualy the acl (setfacl -m g:group:rwx the_file) It's ok, the other domain member see the ACL But when I set the acl with a Windows Workstation, that's don't work it gives the furnished error : sys...@sangam:/var/log/samba$ tailf log.r-sys-03703 [2009/11/08 17:54:05, 0] auth/auth_util.c:create_builtin_users(758) create_builtin_users: Failed to create Users [2009/11/08 17:54:09, 0] passdb/pdb_ldap.c:ldapuser2displayentry(4211) sid S-1-5-21-3986255151-1643105893-2919334401-3002 does not belong to our domain . . . [2009/11/08 17:54:15, 0] auth/auth_util.c:create_builtin_users(758) create_builtin_users: Failed to create Users [2009/11/08 17:54:17, 0] smbd/posix_acls.c:create_canon_ace_lists(1438) create_canon_ace_lists: unable to map SID S-1-5-21-4020846335-601350461-1468625926-27594 to uid or gid. C U Next Mail Raj Take Care HAVE A NICE DAY The INTERNET now has a personality. YOURS! See your Yahoo! Homepage. The INTERNET now has a personality. YOURS! See your Yahoo! Homepage. http://in.yahoo.com/ -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- http://linuxinterviews.blogspot.com The INTERNET now has a personality. YOURS! See your Yahoo! Homepage. http://in.yahoo.com/ -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba + LDAP: Changing user's group
Thanks for the reply. Think I'll have a look at the smb.conf. Im not really sure about the answer to your question. For each domain, I have 2 sambaGroupMapping (domainUsersDOMAIN domainAdminsDOMAIN both SSID ending in 513 and 512), and all the posix groups I want, to keep certain order between user groups, admin groups, etc. which will come in use when setting ACLs on the shared resources. Thanks again. Gaiseric Vandal wrote: There are various TDB that cache info (maybe under /var/samba/locks) If you run testparm -v there may be some timeout or cache variables you could adjust. Does it matter if you have mapped the unix group to a Windows group? In my environment we set up group mappings for the key groups (like Domain Administrators) but we have a lot of unix groups that we don't explicitly map to Windows groups. -Original Message- From: samba-boun...@lists.samba.org [mailto:samba-boun...@lists.samba.org] On Behalf Of davefu Sent: Thursday, November 19, 2009 7:29 AM To: samba@lists.samba.org Subject: [Samba] Samba + LDAP: Changing user's group Hello fellas. I'm facing this problem today: My Samba PDC is using LDAP as a backend, and its working really good. The problem comes when I change the groups on one of the users. System shows the change correctly by using 'getent group' and if I log as that user the behavior correct when trying the new group permissions. Samba, however, doesn't seem to get those changes immediately (it syncs hours later, totally random amount of time). I've tried disabling NSCD but no luck. I've read somewhere that restarting Samba service forces Samba to refresh the users credentials, but thats not possible to do everytime a user needs a change in his groups. I'm wondering if there is some way to refresh Samba cached credentials. Has anyone experienced this before? P.D: Where is Samba caching the users information/credentials/password/etc anyway? -- View this message in context: http://old.nabble.com/Samba-%2B-LDAP%3A-Changing-user%27s-group-tp26421317p2 6421317.html Sent from the Samba - General mailing list archive at Nabble.com. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- View this message in context: http://old.nabble.com/Samba-%2B-LDAP%3A-Changing-user%27s-group-tp26421317p26428171.html Sent from the Samba - General mailing list archive at Nabble.com. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba + LDAP: Changing user's group
There are various TDB that cache info (maybe under /var/samba/locks) If you run testparm -v there may be some timeout or cache variables you could adjust. Does it matter if you have mapped the unix group to a Windows group? In my environment we set up group mappings for the key groups (like Domain Administrators) but we have a lot of unix groups that we don't explicitly map to Windows groups. -Original Message- From: samba-boun...@lists.samba.org [mailto:samba-boun...@lists.samba.org] On Behalf Of davefu Sent: Thursday, November 19, 2009 7:29 AM To: samba@lists.samba.org Subject: [Samba] Samba + LDAP: Changing user's group Hello fellas. I'm facing this problem today: My Samba PDC is using LDAP as a backend, and its working really good. The problem comes when I change the groups on one of the users. System shows the change correctly by using 'getent group' and if I log as that user the behavior correct when trying the new group permissions. Samba, however, doesn't seem to get those changes immediately (it syncs hours later, totally random amount of time). I've tried disabling NSCD but no luck. I've read somewhere that restarting Samba service forces Samba to refresh the users credentials, but thats not possible to do everytime a user needs a change in his groups. I'm wondering if there is some way to refresh Samba cached credentials. Has anyone experienced this before? P.D: Where is Samba caching the users information/credentials/password/etc anyway? -- View this message in context: http://old.nabble.com/Samba-%2B-LDAP%3A-Changing-user%27s-group-tp26421317p2 6421317.html Sent from the Samba - General mailing list archive at Nabble.com. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba + LDAP error in windows xp while ACL
Dear rajan Did you set ldap admin password for samba by using following command. root#smbpasswd -w ldap admin password By the way you can also use *pdbedit -Lv* command to ensure samba is communicating to ldap properly. Thanks On Tue, Nov 17, 2009 at 10:55 AM, D.Rajan rajand_2...@yahoo.com wrote: Dear All, What the files i need to be check to solve the problem. i am having PDC BDC r...@sangam:/var/log/samba# net getlocalsid SID for domain SANGAM is: S-1-5-21-4020846335-601350461-1468625926 r...@vaigai:~# net getlocalsid SID for domain VAIGAI is: S-1-5-21-4020846335-601350461-1468625926 Error while ACL from windows XP: ys...@sangam:/var/log/samba$ tailf log.kh-sys-02635 [2009/11/16 19:12:43, 0] printing/print_cups.c:cups_connect(69) Unable to connect to CUPS server localhost:631 - Connection refused [2009/11/17 09:32:28, 0] auth/auth_util.c:create_builtin_users(758) create_builtin_users: Failed to create Users [2009/11/17 09:32:32, 0] auth/auth_util.c:create_builtin_users(758) create_builtin_users: Failed to create Users [2009/11/17 09:32:49, 0] auth/auth_util.c:create_builtin_users(758) create_builtin_users: Failed to create Users [2009/11/17 09:32:49, 0] auth/auth_util.c:create_builtin_users(758) create_builtin_users: Failed to create Users [2009/11/17 10:26:38, 0] auth/auth_util.c:create_builtin_users(758) create_builtin_users: Failed to create Users [2009/11/17 10:27:03, 0] auth/auth_util.c:create_builtin_users(758) create_builtin_users: Failed to create Users [2009/11/17 10:27:29, 0] smbd/posix_acls.c:create_canon_ace_lists(1438) create_canon_ace_lists: unable to map SID S-1-5-21-4020846335-601350461-1468625926-3174 to uid or gid. As per your instruction i convert one systems from our domain to workgroup and restart the system and once again i convert to my domain, eventhough i am not able to give permission from my system. 1. In My client Xp system what i want to check regarding SID infomation ? 2. How to solve the unable to map SID error in server. I am having more than 2500 client system. C U Next Mail Raj Take Care HAVE A NICE DAY --- On Sun, 8/11/09, D.Rajan rajand_2...@yahoo.com wrote: From: D.Rajan rajand_2...@yahoo.com Subject: Samba + LDAP error in windows xp while ACL To: samba@lists.samba.org Date: Sunday, 8 November, 2009, 6:08 PM Dear all, I am using Samba + PDC LDAP in a single server. From last month onward i am facing problem When I set manualy the acl (setfacl -m g:group:rwx the_file) It's ok, the other domain member see the ACL But when I set the acl with a Windows Workstation, that's don't work it gives the furnished error : sys...@sangam:/var/log/samba$ tailf log.r-sys-03703 [2009/11/08 17:54:05, 0] auth/auth_util.c:create_builtin_users(758) create_builtin_users: Failed to create Users [2009/11/08 17:54:09, 0] passdb/pdb_ldap.c:ldapuser2displayentry(4211) sid S-1-5-21-3986255151-1643105893-2919334401-3002 does not belong to our domain . . . [2009/11/08 17:54:15, 0] auth/auth_util.c:create_builtin_users(758) create_builtin_users: Failed to create Users [2009/11/08 17:54:17, 0] smbd/posix_acls.c:create_canon_ace_lists(1438) create_canon_ace_lists: unable to map SID S-1-5-21-4020846335-601350461-1468625926-27594 to uid or gid. C U Next Mail Raj Take Care HAVE A NICE DAY The INTERNET now has a personality. YOURS! See your Yahoo! Homepage. The INTERNET now has a personality. YOURS! See your Yahoo! Homepage. http://in.yahoo.com/ -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- http://linuxinterviews.blogspot.com -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba + LDAP error in windows xp while ACL
Dear All, What the files i need to be check to solve the problem. i am having PDC BDC r...@sangam:/var/log/samba# net getlocalsid SID for domain SANGAM is: S-1-5-21-4020846335-601350461-1468625926 r...@vaigai:~# net getlocalsid SID for domain VAIGAI is: S-1-5-21-4020846335-601350461-1468625926 Error while ACL from windows XP: ys...@sangam:/var/log/samba$ tailf log.kh-sys-02635 [2009/11/16 19:12:43, 0] printing/print_cups.c:cups_connect(69) Unable to connect to CUPS server localhost:631 - Connection refused [2009/11/17 09:32:28, 0] auth/auth_util.c:create_builtin_users(758) create_builtin_users: Failed to create Users [2009/11/17 09:32:32, 0] auth/auth_util.c:create_builtin_users(758) create_builtin_users: Failed to create Users [2009/11/17 09:32:49, 0] auth/auth_util.c:create_builtin_users(758) create_builtin_users: Failed to create Users [2009/11/17 09:32:49, 0] auth/auth_util.c:create_builtin_users(758) create_builtin_users: Failed to create Users [2009/11/17 10:26:38, 0] auth/auth_util.c:create_builtin_users(758) create_builtin_users: Failed to create Users [2009/11/17 10:27:03, 0] auth/auth_util.c:create_builtin_users(758) create_builtin_users: Failed to create Users [2009/11/17 10:27:29, 0] smbd/posix_acls.c:create_canon_ace_lists(1438) create_canon_ace_lists: unable to map SID S-1-5-21-4020846335-601350461-1468625926-3174 to uid or gid. As per your instruction i convert one systems from our domain to workgroup and restart the system and once again i convert to my domain, eventhough i am not able to give permission from my system. 1. In My client Xp system what i want to check regarding SID infomation ? 2. How to solve the unable to map SID error in server. I am having more than 2500 client system. C U Next Mail Raj Take Care HAVE A NICE DAY --- On Sun, 8/11/09, D.Rajan rajand_2...@yahoo.com wrote: From: D.Rajan rajand_2...@yahoo.com Subject: Samba + LDAP error in windows xp while ACL To: samba@lists.samba.org Date: Sunday, 8 November, 2009, 6:08 PM Dear all, I am using Samba + PDC LDAP in a single server. From last month onward i am facing problem When I set manualy the acl (setfacl -m g:group:rwx the_file) It's ok, the other domain member see the ACL But when I set the acl with a Windows Workstation, that's don't work it gives the furnished error : sys...@sangam:/var/log/samba$ tailf log.r-sys-03703 [2009/11/08 17:54:05, 0] auth/auth_util.c:create_builtin_users(758) create_builtin_users: Failed to create Users [2009/11/08 17:54:09, 0] passdb/pdb_ldap.c:ldapuser2displayentry(4211) sid S-1-5-21-3986255151-1643105893-2919334401-3002 does not belong to our domain . . . [2009/11/08 17:54:15, 0] auth/auth_util.c:create_builtin_users(758) create_builtin_users: Failed to create Users [2009/11/08 17:54:17, 0] smbd/posix_acls.c:create_canon_ace_lists(1438) create_canon_ace_lists: unable to map SID S-1-5-21-4020846335-601350461-1468625926-27594 to uid or gid. C U Next Mail Raj Take Care HAVE A NICE DAY The INTERNET now has a personality. YOURS! See your Yahoo! Homepage. The INTERNET now has a personality. YOURS! See your Yahoo! Homepage. http://in.yahoo.com/ -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba + LDAP error in windows xp while ACL
Did this use to work OK? It sounds like samba is not properly mapping YOURDOMAIN\username in Windows to the underlying unix account.Do you create the unix accounts first or does samba automatically create them? Either way, I think your LDAP entry for each user should include the unix uid number as well as the samba sid. What happens if you type wbinfo -s SID S-1-5-21-4020846335-601350461-1468625926-27594? Also, if I am reading this correctly, the log files seem to indicate two domains are involved here- *-3986255151-* and *-4020846335-* I have had problems getting the SID to unix id mapping stuff working properly with member samba servers (not with XP clients.) Can you try removing and rejoining an XP machine to the domain? -Original Message- From: samba-boun...@lists.samba.org [mailto:samba-boun...@lists.samba.org] On Behalf Of D.Rajan Sent: Sunday, November 08, 2009 7:39 AM To: samba@lists.samba.org Subject: [Samba] Samba + LDAP error in windows xp while ACL Dear all, I am using Samba + PDC LDAP in a single server. From last month onward i am facing problem When I set manualy the acl (setfacl -m g:group:rwx the_file) It's ok, the other domain member see the ACL But when I set the acl with a Windows Workstation, that's don't work it gives the furnished error : sys...@sangam:/var/log/samba$ tailf log.r-sys-03703 [2009/11/08 17:54:05, 0] auth/auth_util.c:create_builtin_users(758) create_builtin_users: Failed to create Users [2009/11/08 17:54:09, 0] passdb/pdb_ldap.c:ldapuser2displayentry(4211) sid S-1-5-21-3986255151-1643105893-2919334401-3002 does not belong to our domain . . . [2009/11/08 17:54:15, 0] auth/auth_util.c:create_builtin_users(758) create_builtin_users: Failed to create Users [2009/11/08 17:54:17, 0] smbd/posix_acls.c:create_canon_ace_lists(1438) create_canon_ace_lists: unable to map SID S-1-5-21-4020846335-601350461-1468625926-27594 to uid or gid. C U Next Mail Raj Take Care HAVE A NICE DAY The INTERNET now has a personality. YOURS! See your Yahoo! Homepage. http://in.yahoo.com/ -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] samba ldap
On Thu, Oct 29, 2009 at 12:13 AM, Dale Schroeder d...@briannassaladdressing.com wrote: Dale Schroeder Technical Issues Del Sol Food Company, Inc. (979)836-5978(979) 836-5978 Kaushal Shriyan wrote: On Wed, Oct 28, 2009 at 11:44 PM, Dale Schroeder d...@briannassaladdressing.com wrote: Kaushal Shriyan wrote: Hi, I am following https://help.ubuntu.com/8.10/serverguide/C/samba-ldap.html and ldap works perfectly fine. I have issues with connecting to ldap from samba. I get [2009/10/27 12:37:28, 1] lib/smbldap.c:another_ldap_try(1153) Connection to LDAP server failed for the 9 try! [2009/10/27 12:37:29, 2] lib/smbldap.c:smbldap_open_connection(786) smbldap_open_connection: connection opened [2009/10/27 12:37:29, 2] lib/smbldap.c:smbldap_connect_system(982) failed to bind to server ldap://localhost/ with dn=cn=admin,dc=webaroo,dc=com Error: Can't contact LDAP server (unknown) I have ldapserver running on the same server as samba server is running. when i run ldapsearch -x -H ldaps://localhost. I am able to see the user details. Please let me know if anyone needs configs and additional information. Also when i run smbldap-populate, i get http://paste.ubuntu.com/302630/ Thanks, Kaushal Hi, I see you're using encryption. All of that is beyond me, as my setup is plain. Still, I noticed some inconsistencies and 1 probable error. I pasted each suspicious value below its pastebin link. Below are my configs. Notice below that you have different values for the ldap admin user. Twice you have cn=admin. Once you have dc=admin. http://pastebin.com/dcb24c87 --- ldap.conf http://pastebin.com/d721f0d4d --- slapd.conf rootdn cn=admin,dc=example,dc=com http://pastebin.com/d102cbfc5 ---samba.conf ldap admin dn = cn=admin,dc=example,dc=com ldap suffix = dc=example,dc=com (compare this line with what you put in smbldap.conf) http://pastebin.com/d4a02b874 -- smbldap.conf suffix=dc=admin,dc=example,dc=com (compare to smb.conf) Probably should not have the dc=admin part. Because of all the ${suffix} entries, this would propagate throughout the ou entries. http://pastebin.com/d716fddc0 --- smbldap_bind.conf masterDN=dc=admin,dc=example,dc=com If the problem lies with ldaps/ssl rather than my observations, then someone far more knowledgeable than me will have to find it. Dale Hi Dale I have set it correctly in smbldap.conf and smbldap_bind.conf cn=admin,dc=webaroo,dc=com I get http://pastebin.com/d6d35247f Please suggest/guide. Did you try changing the value in smbldap.conf from suffix=dc=admin,dc=example, dc=com to suffix=dc=example,dc=com (removing dc=admin)? The error message seems to indicate you did not. adding new entry: ou=Users,cn=admin,dc=example,dc=com Dale Thanks, Kaushal Hi Dale, I get http://pastebin.com/d47ac4bd9 Thanks, Kaushal -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba LDAP: Unable to allocate a new user id: bailing out!
Great - that was the reason. In case someone else encounters the same problem - adding the following lines helped: idmap backend = ldap idmap alloc backend = ldap idmap alloc config:ldap_base_dn = ou=idmaps,dc=lohrmann,dc=de idmap alloc config:ldap_user_dn = cn=samba,dc=lohrmann,dc=de idmap alloc config:ldap_url = ldap://ldap.lohrmann.de Thx François! Am 28.10.2009 17:23, schrieb François Legal: You have to define an allocation backend for idmapping, so that winbindd can allocate uids and gids for the users and groups that you want to create. On Wed, 28 Oct 2009 16:32:35 +0100, Christian Geiger c.gei...@lohrmann.de wrote: Hi! I'm currently setting up a Samba 3 PDC. So far I managed to setup Samba with an OpenLDAP backend, but adding a user with the command net rpc user add mg password -U root results in the following error: Failed to add user 'mg' with: WERR_GENERAL_FAILURE. In the logfile it says: [2009/10/28 15:56:28, 0] passdb/pdb_ldap.c:ldapsam_create_user(5119) ldapsam_create_user: Unable to allocate a new user id: bailing out! Unfortunately I cannot find any other hint on what the reason could be. Has someone an idea what I might have misconfigured? Below's my smb.conf. The samba-user has granted the rights to manage the whole domain-tree (olcAccess = {0}to dn.sub=dc=lohrmann,dc=de by dn=cn=samba,dc=lohrmann,dc=de manage by * break). Thx a lot in advance! Chris smb.conf: [global] workgroup = LOHRMANN.DE domain logons = yes domain master = yes local master = yes preferred master = yes os level = 65 passdb backend = ldapsam ldap admin dn = cn=samba,dc=lohrmann,dc=de ldap suffix = dc=lohrmann,dc=de ldap passwd sync = yes ldap machine suffix = ou=machines ldap user suffix = ou=users ldap group suffix = ou=groups ldap idmap suffix = ou=idmaps ldap ssl = no idmap uid = 1-2 idmap gid = 1-2 ldapsam:trusted = yes ldapsam:editposix = yes logon drive = H: logon script = logon.bat logon path = \\%N\profiles\%U\%a [homes] comment = Users Home Directories valid users = %S writeable = yes [netlogon] comment = Network Logon Service path = /var/lib/samba/netlogon [profiles] comment = Users profiles path = /var/lib/samba/profiles [printers] comment = All Printers browseable = no path = /var/spool/samba printable = yes guest ok = no read only = yes create mask = 0700 [print$] comment = Printer Drivers path = /var/lib/samba/printers browseable = yes read only = yes guest ok = no __ Hinweis von ESET NOD32 Antivirus, Signaturdatenbank-Version 4553 (20091028) __ E-Mail wurde gepr�ft mit ESET NOD32 Antivirus. http://www.eset.com -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] samba ldap
On Wed, Oct 28, 2009 at 12:39 AM, Dale Schroeder d...@briannassaladdressing.com wrote: Kaushal Shriyan wrote: On Tue, Oct 27, 2009 at 11:22 PM, Dale Schroeder d...@briannassaladdressing.com wrote: Two things that I can think of: 1. Did you remember to run smbpasswd -w 2. In /etc/smbldap-tools, check the values in the two conf files. Edit as necessary, or run dpkg-reconfigure smbldap-tools if needed. If that doesn't help, you'll probably need to post your config files on the list. Hi Dale Shall i pastebin the configs to you instead of the list due to security concern Thanks, Kaushal It would be best to sanitize anything you don't want to be public, then allow the list to see them. The contents of those files should be small enough to paste into the body of the mail, but that's your call. No clues in the other howto's? Dale FYI: More complete howto's here: http://wiki.makethemove.net/index.php?title=LDAP-Samba#Introduction and here: https://help.ubuntu.com/community/OpenLDAP-SambaPDC-OrgInfo-Posix I use Debian and was able to successfully adapt these Ubuntu tutorials, so they should work for you. Dale Kaushal Shriyan wrote: Hi, I am following https://help.ubuntu.com/8.10/serverguide/C/samba-ldap.html and ldap works perfectly fine. I have issues with connecting to ldap from samba. I get [2009/10/27 12:37:28, 1] lib/smbldap.c:another_ldap_try(1153) Connection to LDAP server failed for the 9 try! [2009/10/27 12:37:29, 2] lib/smbldap.c:smbldap_open_connection(786) smbldap_open_connection: connection opened [2009/10/27 12:37:29, 2] lib/smbldap.c:smbldap_connect_system(982) failed to bind to server ldap://localhost/ with dn=cn=admin,dc=webaroo,dc=com Error: Can't contact LDAP server (unknown) I have ldapserver running on the same server as samba server is running. when i run ldapsearch -x -H ldaps://localhost. I am able to see the user details. Please let me know if anyone needs configs and additional information. Also when i run smbldap-populate, i get http://paste.ubuntu.com/302630/ Thanks, Kaushal Hi, Below are my configs. http://pastebin.com/dcb24c87 --- ldap.conf http://pastebin.com/d721f0d4d --- slapd.conf http://pastebin.com/d102cbfc5 ---samba.conf http://pastebin.com/d4a02b874 -- smbldap.conf http://pastebin.com/d716fddc0 --- smbldap_bind.conf I am running both ldap and samba server on the same host running on ubuntu 8.04 Hardy server. I am following https://help.ubuntu.com/8.10/serverguide/C/samba-ldap.html. I get the below issue when i run smbldap-populate I get http://pastebin.com/d30ed0db6. Please let me know if anyone needs more information. Thanks, Kaushal -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] samba ldap
On Wed, Oct 28, 2009 at 11:44 PM, Dale Schroeder d...@briannassaladdressing.com wrote: Kaushal Shriyan wrote: Hi, I am following https://help.ubuntu.com/8.10/serverguide/C/samba-ldap.html and ldap works perfectly fine. I have issues with connecting to ldap from samba. I get [2009/10/27 12:37:28, 1] lib/smbldap.c:another_ldap_try(1153) Connection to LDAP server failed for the 9 try! [2009/10/27 12:37:29, 2] lib/smbldap.c:smbldap_open_connection(786) smbldap_open_connection: connection opened [2009/10/27 12:37:29, 2] lib/smbldap.c:smbldap_connect_system(982) failed to bind to server ldap://localhost/ with dn=cn=admin,dc=webaroo,dc=com Error: Can't contact LDAP server (unknown) I have ldapserver running on the same server as samba server is running. when i run ldapsearch -x -H ldaps://localhost. I am able to see the user details. Please let me know if anyone needs configs and additional information. Also when i run smbldap-populate, i get http://paste.ubuntu.com/302630/ Thanks, Kaushal Hi, I see you're using encryption. All of that is beyond me, as my setup is plain. Still, I noticed some inconsistencies and 1 probable error. I pasted each suspicious value below its pastebin link. Below are my configs. Notice below that you have different values for the ldap admin user. Twice you have cn=admin. Once you have dc=admin. http://pastebin.com/dcb24c87 --- ldap.conf http://pastebin.com/d721f0d4d --- slapd.conf rootdn cn=admin,dc=example,dc=com http://pastebin.com/d102cbfc5 ---samba.conf ldap admin dn = cn=admin,dc=example,dc=com ldap suffix = dc=example,dc=com (compare this line with what you put in smbldap.conf) http://pastebin.com/d4a02b874 -- smbldap.conf suffix=dc=admin,dc=example,dc=com (compare to smb.conf) Probably should not have the dc=admin part. Because of all the ${suffix} entries, this would propagate throughout the ou entries. http://pastebin.com/d716fddc0 --- smbldap_bind.conf masterDN=dc=admin,dc=example,dc=com If the problem lies with ldaps/ssl rather than my observations, then someone far more knowledgeable than me will have to find it. Dale Hi Dale I have set it correctly in smbldap.conf and smbldap_bind.conf cn=admin,dc=webaroo,dc=com I get http://pastebin.com/d6d35247f Please suggest/guide. Thanks, Kaushal -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba + LDAP problem for find user name
Bruno Steven aspe...@gmail.com wrote in message news:c6bf33680910270225n6b5423e5te193e27399144...@mail.gmail.com... I have samba integrated with openldap , all process are up and I am trying add one machine Windows XP with SP3 in domain Samba , but windows show this message Error while the attempt of entry in domain amblivre.com Is not possible find user name I am tired because I don´t found any solution about this problem , I need some idea .. Thanks ... Have you set up nss ldap? When you type getent passwd do you see the users created in ldap as well as those in the /etc/passwd file? When you type getent group do you see the groups created in ldap as well as those in the /etc/group file? -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba + LDAP problem for find user name
Hi .. guy or girls ... until now I did´t found any information that resolv my problem , there is somebody in this list that made Samba more Openldap together work ? On Tue, Oct 27, 2009 at 7:25 AM, Bruno Steven aspe...@gmail.com wrote: I have samba integrated with openldap , all process are up and I am trying add one machine Windows XP with SP3 in domain Samba , but windows show this message Error while the attempt of entry in domain amblivre.com Is not possible find user name I am tired because I don´t found any solution about this problem , I need some idea .. Thanks ... -- Bruno Steven - Administrador de sistemas. LPIC-1 - LPI ID: lpi000119659 / Code: p2e4wz47e4 https://www.lpi.org/caf/Xamman/certification MCP-Windows 2003 - TranscriptID: 793804 / Access Code: 080089100 https://mcp.microsoft.com/authenticate/validatemcp.aspx P Antes de imprimir pense em sua responsabilidade e comprometimento com o Meio Ambiente. Before printing this message, think about your ecologic responsability and environment commitment. -- Bruno Steven - Administrador de sistemas. LPIC-1 - LPI ID: lpi000119659 / Code: p2e4wz47e4 https://www.lpi.org/caf/Xamman/certification MCP-Windows 2003 - TranscriptID: 793804 / Access Code: 080089100 https://mcp.microsoft.com/authenticate/validatemcp.aspx P Antes de imprimir pense em sua responsabilidade e comprometimento com o Meio Ambiente. Before printing this message, think about your ecologic responsability and environment commitment. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] samba+ldap
On Fri 23/10/09 4:31 PM , Adam Williams wrote: Paras pradhan wrote: On Fri, Oct 23, 2009 at 2:07 PM, wrote: Most mainstream Linux distros are compiling in LDAP support these days, noproblem. Debian, Ubuntu, Fedora and SuSE are all compiling in LDAP in theirstandard packages, AFAIK. I'm not sure what BSDs are doing these days, butI'd bet they're the same way. I am under solaris 9 (ancient) platform. Now my compilation seems to be OK, now need to find ways to connect this to the sun ldap server. Any info on this will be a great help Thanks Paras. in CentOS/Fedora you use nss_ldap, i'm not sure what solaris uses, maybe you can compile nss_ldap from source and setup /etc/ldap.conf and /etc/nsswitch.conf See this link for excellent info: http://aput.net/~jheiss/krbldap/howto.html#ldapclient [2] - Message sent via Atmail Open - http://atmail.org/ Links: -- [2] http://aput.net/~jheiss/krbldap/howto.html#ldapclient -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba