[Samba] Session request packet
hello list: i am learing smb protocol. i lookup NBT SESSION REQUEST PACKET from rfc 1002. SESSION REQUEST PACKET 1 1 1 1 1 1 1 1 1 1 2 2 2 2 2 2 2 2 2 2 3 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | TYPE | FLAGS |LENGTH | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | | / CALLED NAME / | | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | | / CALLING NAME / | | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ i have a program to send this packet to windows-base host, but i cannot properly send this packet. the result is the following by tcpdump. >>> NBT Session Packet NBT Session Request Flags=0x0 Length=64 (0x40) Destination=NameType=0x00 (Workstation) Source= >>> NBT Session Packet NBT SessionReject Flags=0x0 Length=1 (0x1) Reason=0x8F Unspecified error 0x8F why is the Destination field empty?? what is CALLED NAME /***/ #include #include #include #include struct NBT_Session_Header { unsigned char type; unsigned char flags; unsigned short length; }; struct NBT_NAME { char name[32]; }; struct NBT_Request { struct NBT_Session_Header NBTSessionHeader; NBT_NAME called; NBT_NAME calling; }; int connectHost(const char* szHost, int iPort); int sendNBT(void* data, size_t count, int socketid); bool getnetbiosname(char* netbiosname, const char* hostname, unsigned char type); //Main function int main(int argc, char *argv[]) { int socketid = 0; if((socketid = connectHost("192.168.2.65", 139)) == -1) cout << "Connect host error" << endl; NBT_Request request; request.NBTSessionHeader.type = 0x81; request.NBTSessionHeader.flags = 0x0; request.NBTSessionHeader.length = htons(0x40); getnetbiosname(request.called.name, "0", 0x20); getnetbiosname(request.calling.name, "0", 0x00); cout << sizeof(NBT_Request) << endl; sendNBT(&request, sizeof(NBT_Request), socketid); cout << "Operate finished." << endl; return 0; } int connectHost(const char* szHost, int iPort) { //Judge if parameter is avalible if((szHost == 0) || (iPort <= 0)) return -1; int socketid = 0; //identify of socket //Initial a tcp socket and get identify of socket socketid = socket(AF_INET, SOCK_STREAM, 0); if(socketid == -1) cout << "Scocket error." << endl; else cout << "Socket is " << socketid << endl; //Get name by ip address of host struct hostent* host; if((host = gethostbyname(szHost)) != NULL) cout << "Get host name is " << host->h_name << endl; else { cout << "Get host name failed." << endl; return -1; } //Connect port of host what want to connect struct sockaddr_in sockaddr; sockaddr.sin_family = AF_INET; sockaddr.sin_port = htons(iPort); sockaddr.sin_addr = *((struct in_addr*)host->h_addr); if(connect(socketid, (struct sockaddr*)&sockaddr, sizeof(struct sockaddr)) == -1) { cout << "Connect failed." << endl; return -1; } else cout << "Connect succeed." << endl; return socketid; } int sendNBT(void* data, size_t count, int socketid) { int num; //htonl num = send(socketid, data, count, 0); if(num == -1) cout << "Send failed." << errno << endl; else cout << "Send succeed." << endl; return num; } bool getnetbiosname(char* netbiosname, const char* hostname, unsigned char type) { if(strlen(hostname) >= 16) return false; char src[16]; memset(src, ' ', 16); memcpy(src, hostname, strlen(hostname)); src[15] = type; int i; for(i = 0; i < 16; i++) { netbiosname[i*2] = ((src[i]&0xf0)>>4) + 0x41; netbiosname[i*2 + 1] = (src[i]&0x0f) + 0x41; } return true; } /***/ Thanks in advance, liqian -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Error was Permission denied
Greetings, I have tried a few days on an off to get samba to work, but need some help. Samba version Samba 3.0.23a-1.FC5.1 Linux Fedora 5 (localhost) User: dsmith 192.168.1.104 Windows XP SP2 with lastest updates (T2385) User: dan 192.168.1.100 Linksys 8 port router I found a couple problems with the checklist and fixed them. A couple problems I wasn't able to solve. Here are the problems: 1) smbclient //192.168.1.104/dan -Udsmith tree connect failed: NT_STATUS_BAD_NETWORK_NAME smbpasswd is set, both dsmith and dan testparm runs fine I have cleared allow hosts, specified allow hosts, etc. Have disable both firewalls, Linux and Windows. 2) nmblookup -d 2 '*' Linux box responds fine. Never have got a response from Windows. 3) cat T2385.log [2006/08/20 01:33:26, 0] smbd/service.c:make_connection_snum (911) '/home/dsmith' does not exist or permission denied when connecting to [dan] Error was Permission denied I have changed permissions on /home and /dsmith to 777. It didn't help I created a user dan. It didn't help. On Windows I'm using map network drive. Y: //192.168.1.104/dan I use login as different user: dsmith and password Here is smb.conf # Samba config file created using SWAT # from 127.0.0.1 (127.0.0.1) # Date: 2006/08/19 23:38:24 [global] workgroup = SMITH server string = Samba Server log file = /var/log/samba/%m.log max log size = 50 preferred master = Yes dns proxy = No ldap ssl = no hosts allow = 192.168.1., 127. cups options = raw [printers] comment = All Printers path = /usr/spool/samba printable = Yes browseable = No [dan] path = /home/dsmith username = dsmith I hope you can help me, I'm trying to convert from Windows XP to Linux and I thought samba would be the fastest way to transfer my files over (60Gb). Thanks, Dan -- No virus found in this outgoing message. Checked by AVG Anti-Virus. Version: 7.1.394 / Virus Database: 268.11.5/425 - Release Date: 8/22/2006 -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] user audit log
Dear Expert, I need to log user's activities (ie. Create, Delete, remove .. etc) .. I have already configured /etc/samba/smb.conf to: syslog = 10 log file = /var/log/samba/%U.%m.log then I try to login as user and remove something there .. but my samba does not log the activities .. please help.. Thanks & Regards Winanjaya *** No virus was detected in the attachment (no filename). Your mail has been scanned by InterScan. ***-*** -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Win2k/XP ntconfig.pol
We have a SAMBA Domain and I am trying to get group policies to work. From all the reading that I have done, it seems simple. For Win 2k,XP run the poledit.exe that was in win 2k sp4. Create the group policies as required. Copy the policy file (ntconfig.pol) to the netlogon share on all DC's, give it the appropriate permissions, make readable and executable and "Bob's your uncle Bill" However the client I am testing it on does not even seem to reference the policy file let-alone try and apply it. I know ther is something silly I am missing. Can anyone shed some light. -- __ If you try and don't succeed, cheat. Repeat until caught. Then lie. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Re-exporting CIFS file systems
On Tue, 2006-08-22 at 17:19 -0700, Chuck Forsberg WA7KGX N2469R wrote: > Is there a way to force the Samba server to ignore > mounted CIFS file systems? I can't see anything > in the smb.conf documetation to do this generally. No. If you don't want to share a directory, don't include it in a share definition. While not ideal, reexporting a CIFS filesystem is pretty much only as bad as reexporting a NFS filesystem to the same backend server. Andrew Bartlett -- Andrew Bartletthttp://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org Samba Developer, Red Hat Inc. http://redhat.com signature.asc Description: This is a digitally signed message part -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Automatically add unix user
Dear Expert, How to automatically add unix user when I run smbuseradd -a username.. please help Thanks & Regards Winanjaya *** No virus was detected in the attachment (no filename). Your mail has been scanned by InterScan. ***-*** -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Permission Problem --Windows or UNIX?
I am using Samba 3.0.20a with winbindd on FC3 and all the shares except one are working. I keep getting a permison denied error for non-local users in certain directories. The permissions on the directory are # ls -ld . drwxr-xr-x 11 procman users 4096 Aug 3 15:35 . # ls -l drwxrwx--- 12 procman admin4096 Aug 2 15:47 administration drwxrwx--- 5 procman data-entry 4096 Nov 16 2005 data-entry drwxrwx--- 10 procman devel4096 Jul 5 11:24 development drwxrwx--- 26 procman gis 4096 Aug 21 13:48 GIS drwx-- 2 rootroot 4096 Aug 19 07:01 lost+found drwxrwxr-x 14 procman users4096 Jun 6 17:22 MapCopy drwxrwx--- 25 procman marketing4096 Nov 16 2005 marketing drwxrwx--- 4 procman users4096 Nov 16 2005 production drwxrwx--- 22 procman system 4096 Apr 26 10:21 systems The problem is that any directroy with a group other than users is simply not accessible to users who don't have local accounts. For example the user "ttest" (Tommy Test) has the following membership: # id ttest uid=10226(ttest) gid=1(Domain Users) groups=1(Domain Users),10109(Common GIS),10004(VPN ACCESS),10006(All Users),10021(Mapper),10010(TSC_USERS),10108(Common Development),10013(xeroxaccess) And I have mapping between Windows and UNIX groups (list trimmed): # net groupmap list Guests (S-1-5-32-546) -> nobody Domain Guests (S-1-5-21-2679732778-2536521927-3344223750-1199) -> nobody Common Production (S-1-5-21-2679732778-2536521927-3344223750-7121) -> prod-mgrs Common Administration (S-1-5-21-2679732778-2536521927-3344223750-21113) -> admin Common Development (S-1-5-21-2679732778-2536521927-3344223750-7021) -> devel Common GIS (S-1-5-21-2679732778-2536521927-3344223750-7141) -> gis Common Marketing (S-1-5-21-2679732778-2536521927-3344223750-7041) -> marketing Domain Users (S-1-5-21-2679732778-2536521927-3344223750-513) -> users Common System (S-1-5-21-2679732778-2536521927-3344223750-7061) -> system But "ttest" cannot enter the directories GIS or Development even tho he belongs to groups that should have access. Unless I am seriously misunderstanding the documentation at the samba.org web site. testparm shows: Server role: ROLE_DOMAIN_MEMBER Press enter to see a dump of your service definitions [global] unix charset = LOCALE workgroup = TOTALFLOOD netbios name = FILE-CABINET server string = Main File Server security = DOMAIN allow trusted domains = No username map = /etc/samba/smbusers log level = 5 syslog = 2 log file = /var/log/samba/%m.log max log size = 50 smb ports = 139 name resolve order = wins bcast hosts client signing = No socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 load printers = No disable spoolss = Yes show add printer wizard = No wins server = 192.168.124.10 idmap uid = 1-1 idmap gid = 1-1 template homedir = /export/private/%U template shell = "/sbin/nologin" winbind use default domain = Yes hosts allow = 192.168.124., 127. [netapps] comment = Network Applications path = /export/netapps force user = procman force group = users read only = No [common] comment = Common Files path = /export/common force group = users read only = No create mask = 0775 force create mode = 0664 directory mask = 0775 force directory mode = 0775 [public] comment = Public Files path = /export/public force user = procman force group = users read only = No create mask = 0774 [homes] comment = Home Directory read only = No browseable = No [xerox] comment = Scanned Documents Root path = /export/xerox force user = xerox force group = ftpguest read only = No I've tried the steps in "Troubleshooting" and "Analyzing and Solving Samba Problems" and everythhing test out OK. -- Stephen Carville <[EMAIL PROTECTED]> Unix and Network Admin Nationwide Totalflood 6033 W. Century Blvd Los Angeles, CA 90045 310-342-3602 -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Re-exporting CIFS file systems
Is there a way to force the Samba server to ignore mounted CIFS file systems? I can't see anything in the smb.conf documetation to do this generally. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Re: Pam [default=bad success=ok user_unknown=ignore], Winbind
Rex Dieter wrote: > Nolan Garrett wrote: > >> Winbind has been working great for domain logons (have to restart it >> every few weeks, but other than that, works great!), but today I noticed >> I couldn't log in as a local user. For instance, if my local user was >> test, and I tried to log in, I'd get this in /var/log/messages: >> >> Aug 22 12:14:00 mgprisvr pam_winbind[8346]: request failed, but PAM error >> 0! Aug 22 12:14:00 mgprisvr pam_winbind[8346]: internal module error >> (retval = 3, user = `test') > > What version of samba? (I *think* samba-3.0.23 had this problem, but it was > fixed in 3.0.23a) > > -- Rex > I'm running 3.0.23a, still haven't moved to 3.0.23b since the FC5 guys haven't released an RPM (and I love my RPMs!). Nolan signature.asc Description: OpenPGP digital signature -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Excel error
Dominic Iadicicco wrote: Hello all, My network users are receiving an error when they try to save changes to an execl file that is stored in a samba share. The error is "The file filename.xls may have been changed by another user since you last saved it. In that case, what do you want to do? save a copy or Overwrite changes. Now they can all read and write to this share and it only happens with excel files so far. Word docs and others saves do not generate this error. Now Microsoft claims this is a feature but I have not been able to generate it with a peer to peer share I have setup between two winxp machines. It only happens when they try to save to any share on the samba domain. This server is running RH9 with samba 2.2.7a. The clients are winXP Pro Srv2 with MS office/Excel 2002. Is this a known issue with this old version of samba? Is this a samba issue? If anyone could point me in the right direction I would greatly appreciate it. Also if you need any more info on the setup please let me know. Try this KB article from MS & see if it fits. http://support.microsoft.com/kb/324491/ Worked for me a while back. Has to do with network and filesystem latency issues with excel timestamp checking. Regards, Doug -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] map an ad user to a specific uid question
I am still trying to resolve an issue where I need the ad user's home directory to have a specific uid so that when I nfs its home somewhere the user can access his files. I found wbuser.pl out there at http://www.occam.com/tools/: Mapping Active Directory Users to Existing UNIX UIDsUse this procedure on systems where AD user accounts should correspond to UNIX user accounts on other systems. Among other things, this allows NFS shares from a UNIX server to work on an Active Directory UNIX client. The normal behavior of winbind is to arbitrarily assign UIDs to users from the range specified in smb.conf. GIDs will continue to be assigned to groups automatically by winbind after following this procedure. Open issue: Is there any way to restrict login access to an AD client? Enable AD authentication as described above. Ensure that the range specified by idmap uid in smb.conf covers the range of UNIX UIDs to which accounts will be assigned. winbind lookups for UIDs outside that range will fail. NB: It's best not to use this procedure on systems that have a mix of AD accounts and UNIX accounts. If both types of accounts have UIDs within the same range, then winbind could automatically assign a UID for an existing UNIX account to an inappropriate AD account. Install wbuser, a custom script used to list, add, and remove the UID/SID mappings stored in /opt/local/samba/var/locks/winbindd_idmap.tdb. If desired, print a list of the current mappings with wbuser -l. For each user, execute sudo wbuser -a username UID, where username is the AD username, and UID is the UNIX UID assigned to it. Create a home directory for the user if necessary. The problem is that I added a user which seemed to work, but the -l option does not display my added entry. It looks like it is trying to use tdbtool to do this. Does anybody have directions on how I can do this without this perl script (I think things may have changed version wise to make the things the perl script regular expressions look for fail). The username map option does not help. I really need to control what uid is getting used for my ad logins, so this is important to get working. Note again, I am using idmap backend and security = ADS.If you know that the wbuser stuff above will not work because of the idmap backend, I need to know that . David David Shapiro Distributed Systems Unix Team Lead office: 919-765-2011 cellphone: 730-0538 -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Cannot create builtin/administrator group and getpeername failed
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Poil wrote: > Hello, > My PDC is working but I have some errors on my log, I'm searching since > some days but I cannot find why. > > In log.smbd I have > [2006/08/22 16:30:22, 0] lib/util_sock.c:get_peer_addr(1229) > getpeername failed. Error was Noeud final de transport n'est pas connecté > > And In log.MachineName I have > [2006/08/22 19:17:33, 0] auth/auth_util.c:create_local_nt_token(899) > create_local_nt_token: Failed to create BUILTIN\Administrators group! > [2006/08/22 19:18:13, 0] auth/auth_util.c:create_builtin_users(729) > create_builtin_users: Failed to create Users > [2006/08/22 19:18:13, 0] auth/auth_util.c:create_local_nt_token(899) > create_local_nt_token: Failed to create BUILTIN\Administrators group! if you are using idmap_rid or idmap_ad, this is normal. I've bumped the debug level for the upcoming 3.0.23c. cheers, jerry = Samba--- http://www.samba.org Centeris --- http://www.centeris.com "What man is a man who does not make the world better?" --Balian -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.4 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFE62n2IR7qMdg1EfYRAuJMAJ0fj/o/0alYDWRIngxYpLrojkX32wCfQ1fO k+EyElhWDk+BxAudsleEqQ8= =hUib -END PGP SIGNATURE- -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] User can't access a share that he has full control of
On Tue, Aug 22, 2006 at 11:43:31AM -0700, Ephi Dror wrote: > > However, frequently there are sub trees that need to be accessed by a > particular user, and with the current semantics, you need to give more > permissions than you might otherwise need to for the directories above > the sub tree. The whole point of a share (or an NFS export) on a server > is to be a direct point of access to clients. > > I didn't see how my change violate any POSIX security. It sounds to me > so logic to give user permissions only from mount/export points and not > for any directory leading to mount point. It's POSIX. Allowing a user to traverse through a directory in which they have '---' permissions violates POSIX security. Think of this this way. You want to prohibit a user who you've just fired from getting access to any area of the filesystem below a certain point. You add a POSIX ACL of u:name:--- to the top level directory and you're done. No need to hunt down any individual permissions, at one stroke you've cut off a path in the filesystem. Windows does it differently by default (although it has a user right that is granted by default that allows this - in order for it to pass POSIX complience tests you have to turn this right off). I'm not saying we won't implement this right in the future but it's not as trivial as "always doing stat calls as root". Jeremy. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] HPUX net ads join
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 J J Urich wrote: > Have been running samba successfully authenticating to a windows 2003 > domain since 3.0.1. Starting in 3.0.23 and 3.0.23b I can't do a "net > ads join" on a HPUX itanium server running 11.23 ia64. I can kinit just > fine w/ this userid. Samba was built with gcc 4.1.1. See below: What version of the Krb5 libs are you running? There's an open issue with MIT Krb 1.2 (or any krb5 client lacking RC4-HMAC support). cheers, jerry = Samba--- http://www.samba.org Centeris --- http://www.centeris.com "What man is a man who does not make the world better?" --Balian -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.4 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFE62pUIR7qMdg1EfYRAjymAKCRpgpCzJF0k8J02zHdsxUBF5eE5wCfUtBS rnXwz4dXwtxbfGLBEhkZIfU= =fF5P -END PGP SIGNATURE- -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Re: Pam [default=bad success=ok user_unknown=ignore], Winbind
Nolan Garrett wrote: > Winbind has been working great for domain logons (have to restart it > every few weeks, but other than that, works great!), but today I noticed > I couldn't log in as a local user. For instance, if my local user was > test, and I tried to log in, I'd get this in /var/log/messages: > > Aug 22 12:14:00 mgprisvr pam_winbind[8346]: request failed, but PAM error > 0! Aug 22 12:14:00 mgprisvr pam_winbind[8346]: internal module error > (retval = 3, user = `test') What version of samba? (I *think* samba-3.0.23 had this problem, but it was fixed in 3.0.23a) -- Rex -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Pam [default=bad success=ok user_unknown=ignore], Winbind
Winbind has been working great for domain logons (have to restart it every few weeks, but other than that, works great!), but today I noticed I couldn't log in as a local user. For instance, if my local user was test, and I tried to log in, I'd get this in /var/log/messages: Aug 22 12:14:00 mgprisvr pam_winbind[8346]: request failed, but PAM error 0! Aug 22 12:14:00 mgprisvr pam_winbind[8346]: internal module error (retval = 3, user = `test') There were no errors in the winbind.log file. In my /etc/pam.d/system-auth, I found this line: account [default=bad success=ok user_unknown=ignore]pam_winbind.so I Googled that line (and parts of it) but had no luck figuring out what it was doing. I changed it to: account sufficientpam_winbind.so and now I can log in with local accounts, as well as domain (winbind) accounts. I have two questions: A) Is this some kind of bug with winbind, or did some other tool mis-configure my system-auth file with this line? B) What does the [default=bad success=ok user_unknown=ignore] line do, and does it matter that I removed it? Thanks! Nolan Garrett signature.asc Description: OpenPGP digital signature -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Excel error
Hello all, My network users are receiving an error when they try to save changes to an execl file that is stored in a samba share. The error is "The file filename.xls may have been changed by another user since you last saved it. In that case, what do you want to do? save a copy or Overwrite changes. Now they can all read and write to this share and it only happens with excel files so far. Word docs and others saves do not generate this error. Now Microsoft claims this is a feature but I have not been able to generate it with a peer to peer share I have setup between two winxp machines. It only happens when they try to save to any share on the samba domain. This server is running RH9 with samba 2.2.7a. The clients are winXP Pro Srv2 with MS office/Excel 2002. Is this a known issue with this old version of samba? Is this a samba issue? If anyone could point me in the right direction I would greatly appreciate it. Also if you need any more info on the setup please let me know. Thanks all Dominic Iadicicco South Country Library Bellport NY -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Access denied
From: "ML Samba" <[EMAIL PROTECTED]> I'm trying to upgrade from Samba 3.0.14a to 3.0.23b. Using the exact same config file that I did in the older version, and using the exact same share directory and file permissions as I did with the old version, a share that I used to be able to access now returns: tree connect failed: NT_STATUS_ACCESS_DENIED See My Recent Thread: [Samba] 3.0.20 -> 3.0.23 SID/group error?? Won't connect. I think the problem is the same. The problem will be fixed in 3.0.23c due out later this week. (at least that is Jerry's most recent estimate) In the mean time stick to 3.0.23a or earlier. (your 3.0.14a should be fine unless you need to upgrade for functionality) -- David C. Rankin, J.D., P.E. RANKIN LAW FIRM, PLLC 510 Ochiltree Street Nacogdoches, Texas 75961 (936) 715-9333 (936) 715-9339 fax www.rankinlawfirm.com -- -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] HPUX net ads join
Have been running samba successfully authenticating to a windows 2003 domain since 3.0.1. Starting in 3.0.23 and 3.0.23b I can't do a "net ads join" on a HPUX itanium server running 11.23 ia64. I can kinit just fine w/ this userid. Samba was built with gcc 4.1.1. See below: [EMAIL PROTECTED] # kinit jjurich_wa Password for [EMAIL PROTECTED]: [EMAIL PROTECTED] # /fs/exec/samba/3.0.23/bin/net ads join -U jjurich_wa jjurich_wa's password: [2006/08/22 13:15:34, 0] rpc_client/cli_pipe.c:rpc_api_pipe(790) rpc_api_pipe: Remote machine serv09.divms.uiowa.edu pipe \lsarpc fnum 0x400dreturned critical error. Error was NT_STATUS_OK [2006/08/22 13:15:34, 0] rpc_client/cli_pipe.c:cli_rpc_pipe_open_noauth(2265) cli_rpc_pipe_open_noauth: rpc_pipe_bind for pipe \lsarpc failed with error NT_STATUS_UNSUCCESSFUL [2006/08/22 13:15:34, 0] utils/net_domain.c:netdom_get_domain_sid(169) Error connecting to LSA pipe. Error was NT_STATUS_UNSUCCESSFUL Failed to join domain! /fs/exec/samba/3.0.23/bin/net ads user -U jjurich_wa works fine as well. [EMAIL PROTECTED] # /fs/exec/samba/3.0.23/bin/net -V Version 3.0.23b Any one else run into this? It is odd that the Error message is NT_STATUS_OK me thinks. Regards, JJ -- -- JJ Urich CSG Director The University of Iowa Phone 319-335-0750 Email: jjurich at divms dot uiowa dot edu -- -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
RE: [Samba] User can't access a share that he has full control of
Hi All, One more point if I may: I see that Samba currently consider it as security "problem", not a security "benefit". However, frequently there are sub trees that need to be accessed by a particular user, and with the current semantics, you need to give more permissions than you might otherwise need to for the directories above the sub tree. The whole point of a share (or an NFS export) on a server is to be a direct point of access to clients. I didn't see how my change violate any POSIX security. It sounds to me so logic to give user permissions only from mount/export points and not for any directory leading to mount point. Cheers, Ephi -Original Message- From: Ephi Dror Sent: Monday, August 21, 2006 12:11 PM To: samba@lists.samba.org Cc: 'Jeremy Allison'; '[EMAIL PROTECTED]' Subject: Re: [Samba] User can't access a share that he has full control of Hi Simo, Thank you for your reply. I actually did a little test in which I have two users U1 and U2. I have a path \\dir1\dir2 in which I gave access only to administrator (whom mapped to 0) to dir1 and I gave U1 full control to dir2. Now I made a share mapping to \\dir1\dir2. With SAMBA code "as is" not U1 nor U2 can access the share. With my little patch as I described before U1 can access the share while U2 can't which is exactly my expectation. Also this is how my "windows" customers can be setup for running home directories. Our customers are too much "windows" oriented and prefer setting files securities (Acls) via what they know best which is file properties and less via smb.conf in which we are the champions... Also, they told me that they typically creating some kind of an "admin" share to the root of the file system in which only restricted users and group can have access and then they create all their wonderful folders and stuff in which they use ACLs to manipulate access. So they create different shares pointing to different paths in the file system but since the "admin" share that point to the root gave access only to administrator for example, that's how they run into the problem with our SAMBA. So far I can't see it as a problem. Cheers, Ephi -Original Message- From: simo [mailto:[EMAIL PROTECTED] Sent: Monday, August 21, 2006 11:41 AM To: Jeremy Allison Cc: Ephi Dror; samba@lists.samba.org Subject: Re: [Samba] User can't access a share that he has full control of On Mon, 2006-08-21 at 11:12 -0700, Jeremy Allison wrote: > > 3. If I do this change for our customers, is there any security > > issue here that I haven't thought about? > > Yes, it's a security hole (IMHO). It completely bypasses security for > a path. There might be things an attacker could do with this (don't > have time right now to think up evil scenarious but I'm sure there are > some :-). An easy example is accessing other users home directories where the user target has a 700 permission on his home directory specifically set to keep out other users. It is a common scenario on unix environments. Simo. -- Simo Sorce Samba Team GPL Compliance Officer email: [EMAIL PROTECTED] http://samba.org -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] How to map a user to a specific uid?
I would like to see: username map option allow you to specify a uid number so that a rid number is not used. joe = 785755 David David Shapiro Distributed Systems Unix Team Lead office: 919-765-2011 cellphone: 730-0538 >>> "Gerald (Jerry) Carter" <[EMAIL PROTECTED]> 8/22/2006 2:14:45 PM >>> -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 David Shapiro wrote: > What do you put in the file to map an ad user to a unix > user? If I have an ad user MYDOMAIN+joe, do I put > in user.map file: > joe = MYDOMAIN+joe If you are not runnign winbindd and using 'security = ads', you need joe = MYDOMAIN+joe MYDOMAIN.REA.LM+joe to cover cases where the user may login via NTLM or Krb5. cheers, jerry = Samba--- http://www.samba.org Centeris --- http://www.centeris.com "What man is a man who does not make the world better?" --Balian -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.4 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFE60mVIR7qMdg1EfYRAo82AKCAGeUBULiAr/MhTOrMIWp8w/3h6ACgu9Ck 4kGtYfCUk1TwNTvWYaGd6FY= =DGxs -END PGP SIGNATURE- -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Authentication/name resolution with Samba print server
Hello~ I am setting up a Samba domain member server (on an Active Directory domain) that will act only as a print server, not an authentication server. So do I need any ID mapping services running, like winbind? Or any authentication services like kerberos? I know I will need name resolution for the printers in the printcap file for AD publishing and for the ACL's...is winbind ID mapping used for this? -- Anni Marie Evanoff Windows System Administrator CST/OIT-Portland State University (503) 725-3294 [EMAIL PROTECTED] -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] How to map a user to a specific uid?
I am using: workgroup = BCBSNC realm = BCBSNC.COM server string = User management Server security = ADS password server = ad.bcbsnc.com idmap backend = rid:BCBSNC=10-20 allow trusted domains = No log level = 0 log file = /usr/local/samba/var/log.%m max log size = 50 name resolve order = hosts wins lmhosts bcast socket options = TCP_NODELAY SO_SNDBUF=8192 SO_RCVBUF=8192 preferred master = No local master = No dns proxy = No wins server = svcmc02, svcmc03 ldap ssl = no idmap uid = 10-20 idmap gid = 10-20 template shell = /bin/ksh template homedir = /home/%D/%U winbind separator = + winbind nested groups = Yes winbind use default domain = Yes aio read size = 1 aio write size = 1 nt acl support = Yes username map = /usr/local/samba/lib/users.map [homes] root preexec = /usr/local/samba/bin/mkhome.sh %D %U path = /home/%D/%U valid users = %D+%U read only = No browseable = No If is do an ls -la of the /home/MYDOMAIN, I see drwxr-x--- 3 joe users 256 Feb 24 13:04 joe But nfs mount joe on the remote system appears as uid of 10 instead of the uid 785757 (joe's unix uid) In that, it is using the rid id not the unix user's uid. David David Shapiro Distributed Systems Unix Team Lead office: 919-765-2011 cellphone: 730-0538 >>> "Gerald (Jerry) Carter" <[EMAIL PROTECTED]> 8/22/2006 2:14:45 PM >>> -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 David Shapiro wrote: > What do you put in the file to map an ad user to a unix > user? If I have an ad user MYDOMAIN+joe, do I put > in user.map file: > joe = MYDOMAIN+joe If you are not runnign winbindd and using 'security = ads', you need joe = MYDOMAIN+joe MYDOMAIN.REA.LM+joe to cover cases where the user may login via NTLM or Krb5. cheers, jerry = Samba--- http://www.samba.org Centeris --- http://www.centeris.com "What man is a man who does not make the world better?" --Balian -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.4 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFE60mVIR7qMdg1EfYRAo82AKCAGeUBULiAr/MhTOrMIWp8w/3h6ACgu9Ck 4kGtYfCUk1TwNTvWYaGd6FY= =DGxs -END PGP SIGNATURE- -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Cannot create builtin/administrator group and getpeername failed
Here are some debug info I miss : get_privileges: No privileges assigned to SID [S-1-5-32-546] [2006/08/22 19:52:53, 3] lib/privileges.c:get_privileges(261) get_privileges: No privileges assigned to SID [S-1-22-2-65534] [2006/08/22 19:52:53, 3] passdb/lookup_sid.c:fetch_gid_from_cache(999) fetch gid from cache 65533 -> S-1-22-2-65533 [2006/08/22 19:52:53, 5] lib/smbldap.c:smbldap_search_ext(1179) smbldap_search_ext: base => [ou=Groups,dc=arzur,dc=local], filter => [(&(objectClass=sambaGroupMapping)(sambaSID=S-1-1-0))], scope => [2] [2006/08/22 19:52:53, 4] passdb/pdb_ldap.c:ldapsam_getgroup(2213) ldapsam_getgroup: Did not find group [2006/08/22 19:52:53, 10] auth/auth_util.c:create_local_token(997) Could not convert SID S-1-1-0 to gid, ignoring it [2006/08/22 19:52:53, 5] lib/smbldap.c:smbldap_search_ext(1179) smbldap_search_ext: base => [ou=Groups,dc=arzur,dc=local], filter => [(&(objectClass=sambaGroupMapping)(sambaSID=S-1-5-2))], scope => [2] [2006/08/22 19:52:53, 4] passdb/pdb_ldap.c:ldapsam_getgroup(2213) ldapsam_getgroup: Did not find group [2006/08/22 19:52:53, 10] auth/auth_util.c:create_local_token(997) Could not convert SID S-1-5-2 to gid, ignoring it [2006/08/22 19:52:53, 5] lib/smbldap.c:smbldap_search_ext(1179) smbldap_search_ext: base => [ou=Groups,dc=arzur,dc=local], filter => [(&(objectClass=sambaGroupMapping)(sambaSID=S-1-5-32-546))], scope => [2 ] [2006/08/22 19:52:53, 4] passdb/pdb_ldap.c:ldapsam_getgroup(2213) ldapsam_getgroup: Did not find group [2006/08/22 19:52:53, 10] auth/auth_util.c:create_local_token(997) 279,1 55% [2006/08/22 19:52:53, 3] smbd/uid.c:push_conn_ctx(345) [2006/08/22 19:52:53, 5] auth/auth_util.c:debug_nt_user_token(449) Primary group is 0 and contains 0 supplementary groups[2006/08/22 19:52:53, 10] groupdb/mapping.c:pdb_create_builtin_alias(1328) Trying to create builtin alias 545 push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1 [2006/08/22 19:52:53, 3] smbd/uid.c:push_conn_ctx(345) [2006/08/22 19:52:53, 5] auth/auth_util.c:debug_nt_user_token(449) NT user token: (NULL) [2006/08/22 19:52:53, 5] auth/auth_util.c:debug_unix_user_token(475) UNIX token of user 0 Primary group is 0 and contains 0 supplementary groups[2006/08/22 19:52:53, 10] groupdb/mapping.c:pdb_create_builtin_alias(1328) Trying to create builtin alias 545 [2006/08/22 19:52:53, 10] passdb/lookup_sid.c:check_dom_sid_to_level(602) Accepting SID S-1-5-32 in level 1 [2006/08/22 19:52:53, 10] passdb/lookup_sid.c:lookup_sid(856) Sid S-1-5-32-545 -> BUILTIN\Users(4) [2006/08/22 19:52:53, 3] groupdb/mapping.c:pdb_create_builtin_alias(1349) pdb_create_builtin_alias: Could not get a gid out of winbind [2006/08/22 19:52:53, 0] auth/auth_util.c:create_builtin_users(729) create_builtin_users: Failed to create Users [2006/08/22 19:52:53, 0] auth/auth_util.c:create_local_nt_token(899) create_local_nt_token: Failed to create BUILTIN\Administrators group! [2006/08/22 19:52:53, 3] smbd/sec_ctx.c:pop_sec_ctx(339) pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0 [2006/08/22 19:52:53, 5] lib/smbldap.c:smbldap_search_ext(1179) smbldap_search_ext: base => [ou=Groups,dc=arzur,dc=local], filter => [(&(|(objectclass=sambaGroupMapping)(sambaGroupType=4))(|(sambaSIDList=S-1-5-21-48441270-57029814-2507678693-501)(sambaSIDList=S-1-22-2-65533)(sambaSIDList=S-1-1-0)(sambaSIDList=S-1-5-2)(sambaSIDList=S-1-5-32-546)(sambaSIDList=S-1-22-2-65534)))], scope => [2] [2006/08/22 19:52:53, 5] lib/smbldap.c:smbldap_search_ext(1179) smbldap_search_ext: base => [ou=Groups,dc=arzur,dc=local], filter => [(&(|(objectclass=sambaGroupMapping)(sambaGroupType=4))(|(sambaSIDList=S-1-5-21-48441270-57029814-2507678693-501)(sambaSIDList=S-1-22-2-65533)(sambaSIDList=S-1-1-0)(sambaSIDList=S-1-5-2)(sambaSIDList=S-1-5-32-546)(sambaSIDList=S-1-22-2-65534)))], scope => [2] [2006/08/22 19:52:53, 3] lib/privileges.c:get_privileges(261) get_privileges: No privileges assigned to SID [S-1-5-21-48441270-57029814-2507678693-501] [2006/08/22 19:52:53, 3] lib/privileges.c:get_privileges(261) Poil a écrit : Hello, My PDC is working but I have some errors on my log, I'm searching since some days but I cannot find why. In log.smbd I have [2006/08/22 16:30:22, 0] lib/util_sock.c:get_peer_addr(1229) getpeername failed. Error was Noeud final de transport n'est pas connecté And In log.MachineName I have [2006/08/22 19:17:33, 0] auth/auth_util.c:create_local_nt_token(899) create_local_nt_token: Failed to create BUILTIN\Administrators group! [2006/08/22 19:18:13, 0] auth/auth_util.c:create_builtin_users(729) create_builtin_users: Failed to create Users [2006/08/22 19:18:13, 0] auth/auth_util.c:create_local_nt_token(899) create_local_nt_token: Failed to create BUILTIN\Administrators group! If you have an idea, Thanks -- To unsubscribe from this list go to the following URL and read the instruction
Re: [Samba] How to map a user to a specific uid?
I noticed that even after I added a username map = /usr/local/samba/lib/users.map to smb.conf ...added to users.map: joe MYDOMAIN+joe The MYDOMAIN+joe home directory still shows the rid uid of 10 instead of the the unix user joe's uid of 785755. What am I doing wrong? David David Shapiro Distributed Systems Unix Team Lead office: 919-765-2011 cellphone: 730-0538 >>> "Gerald (Jerry) Carter" <[EMAIL PROTECTED]> 8/22/2006 10:29:37 AM >>> -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 David Shapiro wrote: > I need to nfs share the samba home directory of a > user on the samba server over to another server, > but the uid it is giving is for example > 10 instead of the standard uid for the user on all > the other servers. How can I make samba use > whatever uid I want for the user (i.e., the uid the user > is known as on other servers)? Is there a map > type command or file I can use? See 'username map' in smb.conf(5). cheers, jerry = Samba--- http://www.samba.org Centeris --- http://www.centeris.com "What man is a man who does not make the world better?" --Balian -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.4 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFE6xTRIR7qMdg1EfYRAjJcAKDdecx052G1PYWpJAlQGqvvFLB4QwCg1CNW v8O6qKu0HbK9wSWCZGhq5dU= =n1GS -END PGP SIGNATURE- -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Re: username map problem
One more note, I can add WindowsLogin to /etc/passwd and all works as expected. On 8/22/06, Jamie Bohr <[EMAIL PROTECTED]> wrote: I am also getting this error with samba-3.0.9-1.3E.10 on RHEL V4. I get [2006/08/22 12:08:26, 5] auth/auth.c:check_ntlm_password(271) check_ntlm_password: winbind authentication for user [WindowsLogin] FAILED with error NT_STATUS_NO_SUCH_USER [2006/08/22 12:08:26, 2] auth/auth.c:check_ntlm_password(312) check_ntlm_password: Authentication for user [WindowsLogin] -> [UNIXLogin] FAILED with error NT_STATUS_NO_SUCH_USER User whose account names are the same do not have this problem. On 8/21/06, Jamie Bohr <[EMAIL PROTECTED]> wrote: > > I am using Samba 3.0.23a-1 and am having issues with the "username map" > option. I copies my map that works for Samba 2.2.8 to a system running > Samba 3, no good. I googled around and have come up short. Users whose > Windows account names match their UNIX account names can use the shares, > this affects only users whose account names do NOT match. The error I get > is "session setup failed: NT_STATUS_LOGON_FAILURE". Can someone point me in > a direction where I can find the answer? > > Thank you, > > -- > Jamie Bohr > -- Jamie Bohr -- Jamie Bohr -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] How to map a user to a specific uid?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 David Shapiro wrote: > What do you put in the file to map an ad user to a unix > user? If I have an ad user MYDOMAIN+joe, do I put > in user.map file: > joe = MYDOMAIN+joe If you are not runnign winbindd and using 'security = ads', you need joe = MYDOMAIN+joe MYDOMAIN.REA.LM+joe to cover cases where the user may login via NTLM or Krb5. cheers, jerry = Samba--- http://www.samba.org Centeris --- http://www.centeris.com "What man is a man who does not make the world better?" --Balian -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.4 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFE60mVIR7qMdg1EfYRAo82AKCAGeUBULiAr/MhTOrMIWp8w/3h6ACgu9Ck 4kGtYfCUk1TwNTvWYaGd6FY= =DGxs -END PGP SIGNATURE- -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Re: username map problem
I am also getting this error with samba-3.0.9-1.3E.10 on RHEL V4. I get [2006/08/22 12:08:26, 5] auth/auth.c:check_ntlm_password(271) check_ntlm_password: winbind authentication for user [WindowsLogin] FAILED with error NT_STATUS_NO_SUCH_USER [2006/08/22 12:08:26, 2] auth/auth.c:check_ntlm_password(312) check_ntlm_password: Authentication for user [WindowsLogin] -> [UNIXLogin] FAILED with error NT_STATUS_NO_SUCH_USER User whose account names are the same do not have this problem. On 8/21/06, Jamie Bohr <[EMAIL PROTECTED]> wrote: I am using Samba 3.0.23a-1 and am having issues with the "username map" option. I copies my map that works for Samba 2.2.8 to a system running Samba 3, no good. I googled around and have come up short. Users whose Windows account names match their UNIX account names can use the shares, this affects only users whose account names do NOT match. The error I get is "session setup failed: NT_STATUS_LOGON_FAILURE". Can someone point me in a direction where I can find the answer? Thank you, -- Jamie Bohr -- Jamie Bohr -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] How to map a user to a specific uid?
What do you put in the file to map an ad user to a unix user? If I have an ad user MYDOMAIN+joe, do I put in user.map file: joe MYDOMAIN+joe David Shapiro Distributed Systems Unix Team Lead office: 919-765-2011 cellphone: 730-0538 >>> "Gerald (Jerry) Carter" <[EMAIL PROTECTED]> 8/22/2006 10:29:37 AM >>> -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 David Shapiro wrote: > I need to nfs share the samba home directory of a > user on the samba server over to another server, > but the uid it is giving is for example > 10 instead of the standard uid for the user on all > the other servers. How can I make samba use > whatever uid I want for the user (i.e., the uid the user > is known as on other servers)? Is there a map > type command or file I can use? See 'username map' in smb.conf(5). cheers, jerry = Samba--- http://www.samba.org Centeris --- http://www.centeris.com "What man is a man who does not make the world better?" --Balian -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.4 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFE6xTRIR7qMdg1EfYRAjJcAKDdecx052G1PYWpJAlQGqvvFLB4QwCg1CNW v8O6qKu0HbK9wSWCZGhq5dU= =n1GS -END PGP SIGNATURE- -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] [Fwd: Windows 2003 server unable to join a Samba PDC]
Thanks for the hint - Windows 2003 debug file yields this : 08/22 18:06:11 NetpDsGetDcName: trying to find DC in domain 'NEOT', flags: 0x1020 08/22 18:06:19 NetpDsGetDcName: found DC '\\ADMIN-PDC2' in the specified domain 08/22 18:06:19 NetpJoinDomain: status of connecting to dc '\\ADMIN-PDC2': 0x0 08/22 18:06:19 NetpGetLsaPrimaryDomain: status: 0x0 08/22 18:06:19 NetpGetNt4RefusePasswordChangeStatus: trying to read from '\\ADMIN-PDC2' 08/22 18:06:19 NetpGetNt4RefusePasswordChangeStatus: RefusePasswordChange == 0 08/22 18:06:19 NetpLsaOpenSecret: status: 0xc034 08/22 18:06:19 NetpGetLsaPrimaryDomain: status: 0x0 08/22 18:06:19 NetpLsaOpenSecret: status: 0xc034 08/22 18:06:20 Failed to validate machine account for OFFICE1 against \\ADMIN-PDC2: 0xc06d 08/22 18:06:20 NetpJoinDomain: w9x: status of validating account: 0x52e - Then apparently, as it did not found a valid machine account, it tries to create on but fails (one is already present) 8/22 18:06:21 NetpManageMachineAccountWithSid: NetUserAdd on '\\ADMIN-PDC2' for 'OFFICE1$' failed: 0x8b0 08/22 18:06:21 NetpManageMachineAccountWithSid: status of attempting to set password on '\\ADMIN-PDC2' for 'OFFICE1$': 0x0 08/22 18:06:21 NetpJoinDomain: status of creating account: 0x0 08/22 18:06:21 NetpGetLsaPrimaryDomain: status: 0x0 08/22 18:06:21 NetpSetLsaPrimaryDomain: for 'NEOT' status: 0xc00d 08/22 18:06:21 NetpJoinDomain: status of setting LSA pri. domain: 0x57 08/22 18:06:21 NetpJoinDomain: initiaing a rollback due to earlier errors Apparently it fails with this LSA domain stuff. then it disables the account : 0 08/22 18:06:21 NetpGetLsaPrimaryDomain: status: 0x0 08/22 18:06:21 NetpManageMachineAccountWithSid: status of disabling account 'OFFICE1$' on '\\ADMIN-PDC2': 0x0 I checked and re-chechecked that the machine account was both a valid unix and samba account. I even try a different machine name but to no avail. I checked the samba log, but there is a massive amount of info. I parsed it however and could not exactly figure out what is wrong is the process. I know however that the machine name is found in smbpasswd file : "[2006/08/22 18:07:02, 10] passdb/pdb_smbpasswd.c:smbpasswd_getsampwnam(1339) getsampwnam (smbpasswd): found by name: office1$" > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA1 > > Christian, > >> I have been trying for hours to make a Windows 2003 >> Server R2 SP1 join a Samba PDC. >> It does not work, and I simply get an error "Invalid >> Parameter" on the 2003 side. > > Check the smbd logs (at level 10) and see why that error > code is being returned. > > > > cheers, jerry > = > Samba--- http://www.samba.org > Centeris --- http://www.centeris.com > "What man is a man who does not make the world better?" --Balian > -BEGIN PGP SIGNATURE- > Version: GnuPG v1.4.4 (MingW32) > Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org > > iD8DBQFE6iKKIR7qMdg1EfYRAvx0AKCpGOecjAD7KM5llZnOUxMdjl480ACfSoYM > 50PboRRLN5Mhty/svF/SZb0= > =9ray > -END PGP SIGNATURE- > -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Cannot create builtin/administrator group and getpeername failed
Hello, My PDC is working but I have some errors on my log, I'm searching since some days but I cannot find why. In log.smbd I have [2006/08/22 16:30:22, 0] lib/util_sock.c:get_peer_addr(1229) getpeername failed. Error was Noeud final de transport n'est pas connecté And In log.MachineName I have [2006/08/22 19:17:33, 0] auth/auth_util.c:create_local_nt_token(899) create_local_nt_token: Failed to create BUILTIN\Administrators group! [2006/08/22 19:18:13, 0] auth/auth_util.c:create_builtin_users(729) create_builtin_users: Failed to create Users [2006/08/22 19:18:13, 0] auth/auth_util.c:create_local_nt_token(899) create_local_nt_token: Failed to create BUILTIN\Administrators group! If you have an idea, Thanks -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Authentication against AD
Hallo. I have problem configuring winbind to authenticate against Active Directory (Windows Server 2003 R2 in native mode). Our net topology seems as follows: - We have PDCs for domain DOMA (i.e.) - there are user accounts for all people on our university. - We have PDC for domain DOMB (DC for our department) that holds computer accounts. - Between DOMA and DOMB is one side trust. So Windows clients in domain DOMB can authenticate against user accounts both domains (prefered DOMA). I have problem configuring Linux box (FC5 now but it's not necessary) to authenticate against DOMA. I have added it into DOMB and can authenticate against DOMB accounts. But not against DOMA. The wbinfo --sequence gives this: DOMA : DISCONNECTED BUILTIN : 1155834602 FEDORA : 1155834602 DOMB : 37926 Is it possible to authenticate this way? I suppose yes, but don't know how... Thanks for any advice, BoB -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Access denied
I'm trying to upgrade from Samba 3.0.14a to 3.0.23b. Using the exact same config file that I did in the older version, and using the exact same share directory and file permissions as I did with the old version, a share that I used to be able to access now returns: tree connect failed: NT_STATUS_ACCESS_DENIED When I try to connect to my home directory that's shared on the fly, I can get in just fine. I'm STUCK. How do I figure out what's wrong? Oh, and yes, I'm part of the STC-InfoTech group , so that's not the problem. Thanks, Kevin # uname -a FreeBSD hr-stc-file3.smartrafficenter.net 6.1-STABLE FreeBSD 6.1-STABLE #0: Fri Aug 18 20:02:55 EDT 2006 [EMAIL PROTECTED]:/usr/obj/usr/src/sys/GENERIC i386 # cat /usr/local/etc/smb.conf #=== Global Settings = [global] workgroup = VIRGINIADOT server string = STC Data Server security = ads load printers = no log file = /var/log/samba/log.%m max log size = 128 password server = VDOTHR01.VIRGINIADOT.ORG encrypt passwords = yes realm = VIRGINIADOT.ORG passdb backend = tdbsam allow trusted domains = no idmap backend = rid:VIRGINIADOT=2000-6 idmap uid = 2000-6 idmap gid = 2000-6 template shell = /usr/local/bin/bash template homedir = /usr/home/%U winbind use default domain = yes winbind enum users = no winbind enum groups = no winbind nested groups = yes socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 local master = no preferred master = no domain logons = no wins server = 10.15.48.3 dns proxy = no # Share Definitions == [homes] comment = Home Directories browseable = no writable = yes [InfoTech] comment = Network Software Repository path = /mnt/shares/Software browseable = yes writable = yes valid users = @STC-InfoTech force group = STC-InfoTech force create mode = 00660 force directory mode = 00770 create mask = 00660 directory mask = 00770 [FMSII] comment = Hidden FMS Share path = "/mnt/shares/Software/VDOT Financial and Inventory" browseable = no writable = no valid users = @STC-InfoTech -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] [IDMAP AD] Strange questions on uid/gid resolution.
Dear all, I am using Win2003 with SFU 3.5 (not R2) as domain controller. I enabled the UNIX attributes of several users and groups. I use idmap = ad to connect to my Win2003 box and setup the winbind / nss accordingly. wbinfo -u / -g work fine, getent passwd / group works fine, chown works fine, id works fine. But when I tries to use ls or groups , it returns the error "id: cannot find name for " and ls just shows the uid/gid instead of the name. Any ideas? The config files / output are as follow: Platform: Debian sarge samba from backports.org samba version (smbd -V): Version 3.0.22 smb.conf idmap backend = ad:ldap://192.168.0.201 idmap uid = 5-51000 idmap gid = 5-51000 template shell = /bin/bash template homedir = /home/%U #winbind trusted domains only = Yes winbind use default domain = yes winbind nested groups = Yes #winbind separator = "\" winbind cache time = 10 winbind enum groups = Yes winbind enum users = Yes winbind nss info = template sfu /etc/nsswitch.conf: passwd: compat winbind group: compat winbind shadow: compat wbinfo -u: Administrator Guest DC1$ krbtgt testuser01 fileserver$ PC1$ PC2$ testuser02 testuser03 wbinfo -g: HelpServicesGroup TelnetClients Domain Computers Domain Controllers Schema Admins Enterprise Admins Cert Publishers Domain Admins Domain Users Domain Guests Group Policy Creator Owners RAS and IAS Servers DnsAdmins DnsUpdateProxy WINS Users Local_Staff IT_Team Counselling_Team PasswordPropDeny getent passwd: administrator:x:10002:10002:Administrator:/home/administrator:/bin/sh testuser01:x:1:10002:User 01:/home/testuser01:/bin/sh testuser02:x:10001:10002:User 02:/home/testuser02:/bin/sh testuser03:x:10003:10002:User 03:/home/testuser03:/bin/sh getent group: Domain Users:x:10002: Local_Staff:x:10004:testuser02 IT_Team:x:1: chown and chgrp succeeds ls /home: drwxr-xr-x 5 1 1 4096 2006-08-22 23:50 testuser01 drwxr-xr-x 3 10001 1 4096 2006-08-22 11:31 testuser02 drwxr-xr-x 2 10003 1 4096 2006-08-23 00:13 testuser03 groups testuser01: id: cannot find name for group ID 10002 Sorry for a very very long appendix. :P Any help will be highly appreciated! Jacky in desperate -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Why can't I delete "Everyone" ACL entry on a Samba share?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Robert Mortimer wrote: >> Henrik Zagerholm wrote: >>> If I look at the security tab in windows I always >>> see the Everyone entry. I think this is because the POSIX "other" >>> entry in the FS on the debian box, correct? >>> >>> Can I remove it? If so how? >> Can't remove it. That's by design. >> >> > But you can remove "Everyone's" rights! Yup. For the archives, you cannot remove Everyone because it is part of the Unix permission set. jerry -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.4 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFE6yDbIR7qMdg1EfYRAkxnAKCw/l3EPIXYfoZOne33L2Y9laICCQCgh5bp ix0a6pyun3bMu4W2RdNvHnI= =4MJZ -END PGP SIGNATURE- -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Differences between 'logon home' and 'logon path'?
Hey All, I am going with creating a new Samba PDC, instead of trying to coax data files off of the old server at this time. Thankfully we have fewer then 40 workstations. So, this won't take to long. However, I am running into a snag. I want to duplicate much of what was in the old smb.conf, only I am finding a few differences and new parts in the 3.x line of Samba that wasn't part of the 2.x line of Samba. What's the difference between the 'login home' and the 'logon path'? Both seem to be pointing to some kind of profile, but have slightly different paths and slightly different end points with 'profile' in the line. Thanks, Rob -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Problem with 3.0.23 upgrade from 3.0.22 with rfc2307 patch
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Joel Franco wrote: > I think the release notes for the 3.0.23b has > the response: W00t! Someone did release the release notes ! :-) -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.4 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFE6xUCIR7qMdg1EfYRAg5xAKDPE7WEPzT+ckyrgIK3EWe3uLREiwCgjMFA 91Z/IdI8+4ttcPgy0LS6cX0= =2wIb -END PGP SIGNATURE- -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] How to map a user to a specific uid?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 David Shapiro wrote: > I need to nfs share the samba home directory of a > user on the samba server over to another server, > but the uid it is giving is for example > 10 instead of the standard uid for the user on all > the other servers. How can I make samba use > whatever uid I want for the user (i.e., the uid the user > is known as on other servers)? Is there a map > type command or file I can use? See 'username map' in smb.conf(5). cheers, jerry = Samba--- http://www.samba.org Centeris --- http://www.centeris.com "What man is a man who does not make the world better?" --Balian -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.4 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFE6xTRIR7qMdg1EfYRAjJcAKDdecx052G1PYWpJAlQGqvvFLB4QwCg1CNW v8O6qKu0HbK9wSWCZGhq5dU= =n1GS -END PGP SIGNATURE- -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Problem with 3.0.23 upgrade from 3.0.22 with rfc2307 patch
I think the release notes for the 3.0.23b has the response: "Member servers, domain accounts, and smb.conf = Since Samba 3.0.8, it has been recommended that all domain accounts listed in smb.conf on a member server be fully qualified with the domain name. This is now a requirement. All unqualified names are assumed to be local to the Unix host, either as part of the server's local passdb or in the local system list of accounts (e.g. /etc/passwd or /etc/group). The reason for this change is that smbd has transitioned from access checks based on string comparisons to token based authorization. All names are resolved to a SID and they verified against the logged on user's NT user token. Local names will resolve to a local SID, while qualified domain names will resolve to the appropriate domain SID. If the member server is not running winbindd at all, domain accounts will be implicitly mapped to local accounts and their tokens will be modified appropriately to reflect the local SID and group membership. For example, the following share will restrict access to the domain group "Linux Admins" and the local group srvadmin. [restricted] path = /data valid users = +"DOMAIN\Linux Admins" +srvadmin Note that to restrict the [homes] share on a member server to the owner of that directory, it is necessary to prefix the %S value to "valid users". [global] security = {domain,ads} workgroup = DOM winbind separator = + [homes] valid users = DOM+%S " -- | | Joel Franco Guzmán .''`. | self-powered by : :' : | Debian Linux `. `' | `- On Ter Jul 18 06 18:03, Howard Wilkinson wrote: > Don, > > you are a genius, this fixed it! Anybody know why? > > Howard. > > Don Meyer wrote: > > >Well, I didn't see the last bit you describe, but I don't run RFC2307 > >(yet). We we bit by very similar behavior when moving from 3.0.22 to > >the 3.0.23 RC's. Turns out that the use-default-domain option is not > >being universally applied to groups in 3.0.23. As soon as I changed > >my "valid users = +group" statements to the format "= +domain\group", > >then this problem was fixed for us. Maybe it will do the trick for > >you... > > > >Cheers, > >-D > > > > > >At 07:41 AM 7/18/2006, Howard Wilkinson wrote: > > > >>I have managed to isolate where the problem is, now I need to work > >>out what the problem is? > >> > >>I have a group > >> > >>cohtech:*:16777225:lesley,howard,ecbull > >> > >>in which I am a member - howard. > >> > >>I have a > >> > >>valid users = +cohtech > >> > >>entry in smb.conf for the share I am trying to connect to, I get the > >>following reported in the machine.log file - > >> > >>zebra.log: string_to_sid: Sid +cohtech does not start with 'S-'. > >> > >>and the users get rejected. If I declare the user directly then > >>access is allowed. > >> > >>This server gets its group database from the AD controllers via RFC2307. > >> > >>Anybody know why group expansion may be broken in 3.0.23? > > > > > >Don Meyer <[EMAIL PROTECTED]> > >Network Manager, ACES Academic Computing Facility > >Technical System Manager, ACES TeleNet System > >UIUC College of ACES, Information Technology and Communication Services > > > > "They that can give up essential liberty to obtain a little > >temporary safety, > >deserve neither liberty or safety." -- Benjamin Franklin, > >1759 > > > -- > > Howard Wilkinson > > > > Phone: > > > > +44(20)76907075 > > Coherent Technology Limited > > > > Fax: > > > > > > 23 Northampton Square, > > > > Mobile: > > > > +44(7980)639379 > > London, United Kingdom, EC1V 0HL > > > > Email: > > > > [EMAIL PROTECTED] > > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/listinfo/samba > -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] How to map a user to a specific uid?
I have aix with 3.0.21c samba with the following smb.conf: [global] workgroup = MYDOMAIN realm = MYDOMAIN.COM server string = User management Server security = ADS password server = ad.mydomain.com idmap backend = rid:MYDOMAIN=10-20 allow trusted domains = No log level = 0 log file = /usr/local/samba/var/log.%m max log size = 50 name resolve order = hosts wins lmhosts bcast socket options = TCP_NODELAY SO_SNDBUF=8192 SO_RCVBUF=8192 preferred master = No local master = No dns proxy = No wins server = wins01, wins02 ldap ssl = no idmap uid = 10-20 idmap gid = 10-20 template shell = /bin/ksh template homedir = /home/%D/%U winbind separator = + winbind nested groups = Yes winbind use default domain = Yes aio read size = 1 aio write size = 1 nt acl support = Yes I need to nfs share the samba home directory of a user on the samba server over to another server, but the uid it is giving is for example 10 instead of the standard uid for the user on all the other servers. How can I make samba use whatever uid I want for the user (i.e., the uid the user is known as on other servers)? Is there a map type command or file I can use? David David Shapiro Distributed Systems Unix Team Lead office: 919-765-2011 cellphone: 730-0538 -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Winbind Problem after Update from 3.0.21b -> 3.0.23b
Hi all, we're using Winbind on a Solaris 9 machine to authenticate our Users, who are held in a Windows 2003SP1 AD. We are now using Samba 3.0.21b and everything works as expected. I configured the nsswitch and installed "libnss_winbind.so" and "pam_winbind.so" as described in the documentation and winbind is able to resolve the AD users and groups and the useres are able to login to the system. All Samba versions I tried are compiled from source with GCC version 3.2.2 from sunfreeware.com. They are all configured as follows: ./configure --prefix=$PREFIX \ --bindir=$PREFIX/bin \ --sbindir=$PREFIX/sbin \ --libexecdir=$PREFIX/libexec \ --datadir=/var/samba \ --sysconfdir=/etc/samba \ --sharedstatedir=/var/samba \ --localstatedir=/var/samba \ --libdir=/opt/samba/lib \ --enable-shared=yes \ --with-privatedir=/var/samba \ --with-lockdir=/var/lock/samba \ --with-piddir=/var/lock/samba \ --with-configdir=/etc/samba \ --with-logfilebase=/var/log/samba \ --with-libdir=/opt/samba/lib \ --with-readline=/usr/local/lib \ --with-libiconv=/usr/local \ --with-krb5=/opt/mit-krb5 \ --with-automount=yes \ --with-pam=yes \ --with-ads=yes \ --with-acl-support=yes \ --with-pam=yes \ --with-pam_smbpass=yes \ --with-included-popt \ --with-winbind=yes After compiling I copied "libnss_windbind.so" to "/lib" and made some symbolic links to: libnss_winbind.so.1 -> libnss_winbind.so libnss_winbind.so.2 -> libnss_winbind.so nss_winbind.so.1 -> libnss_winbind.so nss_winbind.so.2 -> libnss_winbind.so I also copied "pam_winbind.so" to "/lib/security". And that worked until version 3.0.22 (which I tried also). Since Version 3.0.23 it doesn't work anymore and winbind isn't able to get the users/groups from our Windows 2003SP1 AD. When I do a "wbinfo -u" I get "Error looking up domain users" and the winbind logfile tells me: [2006/08/21 17:28:46, 6] nsswitch/winbindd.c:new_connection(601) accepted socket 18 [2006/08/21 17:28:46, 10] nsswitch/winbindd.c:process_request(287) process_request: request fn INTERFACE_VERSION [2006/08/21 17:28:46, 3] nsswitch/winbindd_misc.c:winbindd_interface_version(474) [0]: request interface version [2006/08/21 17:28:46, 10] nsswitch/winbindd.c:process_request(287) process_request: request fn WINBINDD_PRIV_PIPE_DIR [2006/08/21 17:28:46, 3] nsswitch/winbindd_misc.c:winbindd_priv_pipe_dir(507) [0]: request location of privileged pipe [2006/08/21 17:28:46, 6] nsswitch/winbindd.c:new_connection(601) accepted socket 19 [2006/08/21 17:28:46, 10] nsswitch/winbindd.c:process_request(287) process_request: request fn LIST_USERS [2006/08/21 17:28:46, 3] nsswitch/winbindd_user.c:winbindd_list_users(734) [0]: list users [2006/08/21 17:28:46, 10] nsswitch/winbindd_cache.c:refresh_sequence_number(399) refresh_sequence_number: WK time ok [2006/08/21 17:28:46, 10] nsswitch/winbindd_cache.c:refresh_sequence_number(427) refresh_sequence_number: WK seq number is now -1 [2006/08/21 17:28:46, 10] nsswitch/winbindd_cache.c:wcache_server_down(297) wcache_server_down: server for Domain WK down [2006/08/21 17:28:46, 10] nsswitch/winbindd_cache.c:centry_expired(469) centry_expired: Key UL/TV for domain WK is good. [2006/08/21 17:28:46, 10] nsswitch/winbindd_cache.c:wcache_fetch(556) wcache_fetch: returning entry UL/TV for domain WK [2006/08/21 17:28:46, 10] nsswitch/winbindd_cache.c:query_user_list(958) query_user_list: [Cached] - cached list for domain WK status: NT_STATUS_UNSUCCESSFUL which does not really helps me to find the problem. The /etc/samba/smb.conf file looks like: [global] workgroup = WK realm = WK.DOMAIN.DE security = ADS winbind separator = \ idmap uid = 1-2 idmap gid = 1-2 winbind enum users = yes winbind enum groups = yes template homedir = /home/%U template shell = /bin/sh password server = passwd.domain.de # display charset = ISO8859-15 # unix charset = ISO8859-15 winbind use default domain = yes log file = /var/log/samba/log.%m log level = winbind:15 # client use spnego = yes # client schannel = no If I switch back to version 3.0.21b or even 3.0.22 with the same configuration everythings OK immediately and the nsswitch works as it should; winbind is able to lookup the AD users and groups and the users are able to login to the system. I searched the archives but couldn't find anybody with a similar problem when upgrading. And the changelog doesn't
[Samba] Samba and problem with DAPI (Crypto Api)
Z poważaniemHi, I have a problem with Crypto API (DAPI) keys in following environment: Domain Controller SAMBA, workstations with Windows XP. Roaming profiles are enabled. On workstation is installed user certificate with private key. Private key is secured by Windows Crypto AP which encrypting private key by user main domain password. After change user domain password, SMB can't decrypt user's private key and this cause that users certificate doesn't work Is there any solution this problem? Currently i have to reinstall user certificate after every change user domain password... Regards, Barty -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba